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Abstract 


In  a  component-based  design  context,  we  propose  a  relational  interface  theory  for  synchronous  sys¬ 
tems.  A  component  is  abstracted  by  its  interface,  which  consists  of  input  and  output  variables,  as  well  as 
one  or  more  contracts.  A  contract  is  a  relation  between  input  and  output  assignments.  In  the  stateless 
case,  there  is  a  single  contract  that  holds  at  every  synchronous  round.  In  the  general,  stateful,  case, 
the  contract  may  depend  on  the  state,  modeled  as  the  history  of  past  observations.  Interfaces  can  be 
composed  by  connection  or  feedback.  Parallel  composition  is  a  special  case  of  connection.  Feedback 
is  allowed  only  for  Moore  interfaces,  where  the  contract  does  not  depend  on  the  current  values  of  the 
input  variables  that  are  connected  (although  it  may  depend  on  past  values  of  such  variables).  The  theory 
includes  explicit  notions  of  environments,  pluggability  and  substitutability.  Environments  are  themselves 
interfaces.  Pluggability  means  that  the  closed-loop  system  formed  by  an  interface  and  an  environment 
is  well-formed,  that  is,  a  state  with  unsatisfiable  contract  is  unreachable.  Substitutability  means  that  an 
interface  can  replace  another  interface  in  any  environment.  A  refinement  relation  between  interfaces  is 
proposed,  that  has  two  main  properties:  first,  it  is  preserved  by  composition;  second,  it  is  equivalent  to 
substitutability  for  well-formed  interfaces.  Shared  refinement  and  abstraction  operators,  corresponding 
to  greatest  lower  and  least  upper  bounds  with  respect  to  refinement,  are  also  dehned.  Input-complete 
interfaces,  that  impose  no  restrictions  on  inputs,  and  deterministic  interfaces,  that  produce  a  unique 
output  for  any  legal  input,  are  discussed  as  special  cases,  and  an  interesting  duality  between  the  two 
classes  is  exposed.  A  number  of  illustrative  examples  are  provided,  as  well  as  algorithms  to  compute 
compositions,  check  refinement,  and  so  on,  for  finite-state  interfaces. 

1  Introduction 

Compositional  methods,  that  allow  to  assemble  smaller  components  into  larger  systems  both  efficiently  and 
correctly,  are  not  simply  a  desirable  feature  in  system  design:  they  are  a  must  for  designing  large  and  complex 
systems.  It  is  not  surprising,  then,  that  a  very  large  body  of  research  has  tackled  compositionality  in  the 
past.  Our  work  is  situated  in  the  context  of  interface  theories  [14,  15],  which  represent  one  such  body  of 
research.  An  interface  can  be  seen  as  an  abstraction  of  a  component:  on  one  hand,  it  captures  information 
that  is  essential  in  order  to  use  the  component  in  a  given  context;  on  the  other  hand,  it  hides  unnecessary 
information,  making  reasoning  simpler  and  more  efficient. 

The  type  of  information  about  a  component  that  is  exposed  in  an  interface  is  likely  to  vary  depending  on 
the  application.  For  instance,  if  we  are  interested  simply  in  type  checking,  we  might  abstract  a  component 

*  This  report  is  a  revised  version  of  [47,  48] .  This  work  was  supported  in  part  by  the  Center  for  Hybrid  and  Embedded  Software 
Systems  (CHESS)  at  UC  Berkeley,  which  receives  support  from  the  National  Science  Foundation  (NSF  awards  #0720882  (CSR- 
EHS:  PRET)  and  #0720841  (CSR-CPS)),  the  U.S.  Army  Research  Ofhce  (ARC  #W911NF-07-2-0019),  the  U.S.  Air  Force  Office 
of  Scientific  Research  (MURI  #FA9550-06-0312  and  AF-TRUST  #FA9550-06-l-0244),  the  Air  Force  Research  Lab  (AFRL),  the 
Multiscale  Systems  Center  (MuSyC)  and  the  following  companies:  Agilent,  Bosch,  National  Instruments,  Thales,  and  Toyota. 
This  work  was  also  supported  by  the  COMBEST  and  ArtistDesign  projects  of  the  European  Union,  and  the  Swiss  National 
Science  Foundation.  Authors’  emails:  {stavros, blickly,eal}@eecs. berkeley.edu,  tah@ist.ac.at.  Corresponding  author’s  address: 
Stavros  Tripakis,  545Q,  DOP  Center,  Cory  Hall,  EECS  Department,  University  of  California,  Berkeley,  CA  94720-1772,  USA. 
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(say,  a  C  or  Java  function)  simply  by  its  type  signature.  If,  on  the  other  hand,  we  are  interested  in  checking 
correctness  properties,  say,  that  a  division  component  never  attempts  a  division  by  zero,  then  simple  types 
are  not  enough,  and  we  would  like  to  have  a  more  detailed  interface.  Therefore,  we  should  not  expect  a 
single,  “fits-all”,  interface  theory,  but  multiple  theories  that  are  more  or  less  suitable  for  different  purposes. 
Suitability  metrics  could  include  expressiveness,  ease  of  modeling,  as  well  as  tractability  of  the  computational 
problems  involved. 

Our  work  has  been  motivated  by  the  domains  of  embedded  and  cyber-physical  systems  [24,  30].  In 
order  to  build  such  systems  reliably  and  efficiently,  model-based  design  has  been  proposed  as  a  paradigm, 
where  formal  models  are  heavily  used  at  the  design  and  analysis  levels,  and  then  semantics-preserving 
implementations  are  derived  from  these  models  as  much  as  possible  automatically.  The  models  are  often 
domain  specific,  since  it  is  important  for  designers  to  reason  at  levels  of  abstraction  appropriate  for  their 
domain.  Tools  such  as  Simulink  from  The  MathWorks^  SCADE  from  Esterel  Technologies^  or  Ptolemy  from 
Berkeley^  and  languages  such  as  the  synchronous  languages  [8]  are  important  players  in  this  field  [38].  The 
semantics  of  the  above  models  rely  on  the  synchronous  model  of  computation,  which  directly  inspired  this 
work. 

In  our  theory,  a  component  is  captured  by  its  interface,  which  contains  a  set  of  input  variables,  a  set  of 
output  variables,  and  a  set  of  contracts.  A  contract  is  simply  a  relation  between  assignments  of  values  to 
inputs  and  output  variables.  Syntactically,  we  use  a  logical  formalism  such  as  first-order  logic  to  represent 
and  manipulate  contracts.  For  example,  if  Xi  and  X2  are  input  variables  and  y  is  an  output  variable,  then 
X2  0  A  y  =  ^  could  be  the  contract  of  a  component  that  performs  division.  A  more  abstract  contract 
for  the  same  component,  that  only  specifies  the  sign  of  the  output  based  on  the  inputs,  is  the  following: 
X2  ^  0  A  [y  <  0  =  (xi  <0<a:2Va;2<0<  xi)).  An  even  more  abstract  contract  is  X2  yf  0.^ 

Interfaces  govern  the  operation  of  a  component,  which  is  assumed  to  evolve  in  a  sequence  of  synchronous 
rounds.  Within  a  round,  values  are  assigned  to  the  input  variables  of  the  component  by  its  environment, 
and  the  component  assigns  values  to  its  output  variables.  Together  the  two  assignments  form  a  complete 
assignment  over  all  variables.  This  assignment  must  satisfy  the  contract.  Interfaces  can  be  stateless  or 
stateful.  In  the  stateless  case,  there  is  a  single  contract  that  holds  at  every  round.  In  the  general,  stateful 
case,  there  is  a  different  contract  for  every  state.  A  state  is  modeled  as  a  history  of  observations,  that  is,  as 
a  finite  sequence  of  complete  assignments.  The  set  of  states,  as  well  as  the  set  of  contracts,  can  therefore 
be  infinite,  and  our  theory  can  handle  that.  But  it  is  useful  to  consider  also  the  special  case  of  finite-state 
interfaces,  where  many  different  states  have  the  same  contract,  and  the  set  of  contracts  is  finite.  Note  that 
the  domains  of  variables  could  still  be  infinite.  Finite-state  interfaces  are  represented  as  finite  automata 
whose  locations  are  labeled  by  contracts  (e.g.,  formulas). 

Interfaces  can  be  composed  so  that  a  new  interface  is  obtained  as  the  composition  of  other  interfaces. 
We  provide  two  composition  operators,  composition  by  connection  and  composition  by  feedback,  studied 
in  Section  5.  Connection  essentially  corresponds  to  sequential  composition,  however,  it  can  also  capture 
parallel  composition  as  a  special  case  (empty  connection).  Importantly,  composition  by  connection  is  not 
the  same  as  composition  of  relations,  except  in  the  special  case  when  the  interface  that  provides  the  outputs  is 
deterministic.  This  is  because,  similarly  to  other  works,  we  use  a  demonic  interpretation  of  non-determinism, 
corresponding  to  universal  instead  of  existential  quantification.  Feedback  is  allowed  only  for  Moore  interfaces, 
where  the  contract  does  not  depend  on  the  current  values  of  the  input  variables  that  are  back- fed  (although 
it  may  depend  on  past  values  of  such  variables). 

Composition  generates  redundant  output  variables,  in  the  sense  that  they  are  equal  at  every  round.  We 
propose  a  hiding  operator  (Section  6)  that  allows  elimination  of  such  output  variables.  Hiding  is  always 
possible  for  stateless  interfaces  and  corresponds  to  existentially  quantifying  variables  in  the  contract.  The 
situation  is  more  subtle  in  the  stateful  case,  where  we  need  to  ensure  that  the  “hidden”  variables  do  not 

^  See  http://www.inathworks.coni/products/siinulink/. 

^  See  http://www.esterel-technologies.coin/products/scade-suite/. 

®  See  http://ptolemy.eecs.berkeley.edu/. 

^  These  contracts  implicitly  use  the  fact  that  variables  are  numbers,  symbols  like  =  for  equality,  and  arithmetic  operations 
such  as  division.  Our  theory  does  not  depend  on  these,  and  works  with  variables  of  any  domain,  without  assuming  any  properties 
on  such  domains.  In  practice,  however,  as  well  as  for  Illustration  purposes,  we  often  use  such  properties. 
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influence  the  evolution  of  the  contract  from  one  state  to  the  next. 

Our  theory  includes  explicit  notions  of  environments,  pluggahility  and  substitutability  (see  Section  7).  An 
environment  E  for  an  interface  I  is  simply  an  interface  whose  input  and  output  variables  “mirror”  those  of  I. 
I  is  pluggable  to  E  (and  vice  versa)  iff  the  closed-loop  system  formed  by  connecting  the  two  is  well-formed, 
that  is,  never  reaches  a  state  with  an  unsatisflable  contract.  In  general,  we  distinguish  between  well- formed 
and  well-formable  interfaces  (the  two  notions  coincide  for  stateless  interfaces).  Well-formable  interfaces  are 
not  necessarily  well-formed,  but  can  be  made  well-formed  by  appropriately  restricting  their  inputs.  As 
in  [15],  controller- synthesis  type  of  procedures  can  be  used  to  check  whether  a  given  finite-state  interface  is 
well-formable  and,  if  it  is,  transform  it  into  a  well- formed  one.  Substitutability  means  that  an  interface  I' 
can  replace  another  interface  I  in  any  environment.  That  is,  for  any  environment  E,  if  I  is  pluggable  to  E 
then  /'  is  also  pluggable  to  E. 

Our  theory  includes  a  refinement  relation  between  interfaces,  studied  in  Section  8.  Our  refinement  is 
similar  in  spirit  to  other  refinement  relations,  such  as  alternating  refinement  [4],  refinement  of  A/G  inter¬ 
faces  [15,  19],  subcontracting  in  Eiffel  [37],  or  function  subtyping  in  type  theory  [41,  32],  which,  roughly 
speaking,  require  that  I'  refines  I  iff  I'  accepts  more  inputs  and  produces  less  outputs  than  J.  This  require¬ 
ment  is  easy  to  formalize  as  in  ^  in'  A  out'  ^  out  when  input  assumptions  in  are  separated  from  output 
guarantees  out,  but  needs  to  be  extended  in  our  case,  where  constraints  on  inputs  and  outputs  are  mixed  in 
the  same  contract  (p.  We  do  this  by  requiring  in((())  — >  (in((()')  A  {(p'  (p)),  where  \n{(p)  is  the  projection  of  p 

to  the  inputs,  that  is,  the  assumption  part.  This  definition  applies  to  the  stateless  case  where  an  interface 
has  a  single  contract  p,  but  can  be  easily  extended  to  the  stateful  case. 

Refinement  is  shown  to  be  a  partial  order  with  the  following  main  properties:  first,  it  is  preserved  by 
composition;  second,  it  is  equivalent  to  substitutability  for  well-formed  interfaces  (more  precisely:  refinement 
always  implies  substitutability;  the  converse  holds  when  the  refined  interface  is  well-formed).  Refinement 
always  preserves  well-formability.  Refinement  does  not  preserve  well-formedness  in  general,  but  it  does  so 
when  the  refining  interface  /'  has  no  more  legal  inputs  than  the  refined  interface  I. 

Our  theory  supports  shared  refinement  of  two  interfaces  /  and  /'  (Section  9).  This  is  important  for 
component  reuse,  as  argued  in  [19].  Shared  refinement,  when  defined,  is  shown  to  be  the  greatest  lower 
bound  with  respect  to  refinement,  and  is  therefore  denoted  In/'.  /  □  /'  is  an  interface  that  refines  both  I 
and  I' ,  therefore,  it  can  replace  both  in  any  context.  In  this  paper  we  also  propose  a  corresponding  shared 
abstraction  operator  which  is  shown  to  be  the  least  upper  bound  with  respect  to  refinement,  denoted  I U  I' . 

As  a  special  case,  we  discuss  input- complete  interfaces,  that  impose  no  restrictions  on  inputs,  and  de¬ 
terministic  interfaces,  where  contracts  are  partial  functions  instead  of  relations.  These  two  subclasses  of 
interfaces  are  interesting,  first,  because  the  theory  is  greatly  simplified  in  those  cases:  refinement  is  implica¬ 
tion  of  contracts,  composition  is  composition  of  relations,  and  so  on.  Second,  there  is  an  interesting  duality 
between  the  two  subclasses,  as  shown  in  Sections  10  and  11. 

One  of  the  appealing  features  of  our  theory  is  that  it  allows  a  declarative  way  of  specifying  contracts,  and 
a  symbolic  way  of  manipulating  them,  as  logical  formulas.  For  this  reason,  it  is  relatively  straightforward 
to  develop  algorithms  that  implement  the  theory  for  finite-state  interfaces.  We  provide  such  algorithms 
throughout  the  text,  for  instance,  for  composing  interfaces,  checking  refinement,  and  so  on.  These  algorithms 
compute  some  type  of  product  of  the  automata  that  represent  the  interfaces  and  syntactically  manipulate 
their  contracts.  Checking  satisfiability  is  required  for  checking  refinement,  well-formability,  and  so  on. 
Decidability  of  this  problem  will  of  course  depend  on  the  types  of  formulas  used.  Recent  advances  in  SAT 
modulo  theories  and  SMT  solvers  can  be  leveraged  for  this  task. 


2  Related  work 

Abstracting  components  in  some  mathematical  framework  that  offers  stepwise  refinement  and  composition- 
ality  guarantees  is  an  old  idea.  It  goes  back  to  the  work  of  Floyd  and  Hoare  on  proving  program  correctness 
using  pre-  and  post-condititions  [20,  25]  (a  pair  of  pre-  and  post-conditions  can  be  seen  as  a  contract  for  a 
piece  of  sequential  code)  and  the  work  of  Dijkstra  and  Wirth  on  stepwise  refinement  as  a  method  for  gradu¬ 
ally  developing  programs  from  their  specifications  [17,  49].  These  ideas  were  used  and  developed  further  in 
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a  large  number  of  works,  including  Abrial’s  Z  notation  [44]  and  B  method  [2],  Liskov’s  work  on  CLU  [31], 
Meyer’s  design-by-contract  paradigm  [37],  as  well  as  Back’s  work  on  the  refinement  calculus  [5].  The  latter 
work  uses  the  term  contract  and  its  game  interpretation,  as  well  as  demonic  non-determinism,  that  we  also 
use  in  our  framework. 

Using  relations  as  program  specifications  is  also  not  new,  and  goes  back  to  the  work  of  Parnas  on  DL 
relations  [40].  A  survey  of  this  body  of  work  is  provided  in  [28].  Of  relevance  is  the  relational  calculus 
developed  in  [21]  for  sequential  programs,  where  a  demonic  interpretation  of  relations  is  also  used. 

In  a  reactive-system  setting,  Broy  considers  a  relational  framework  where  specifications  are  sets  of  stream¬ 
processing  functions  [10,  11].  This  framework  is  more  general  than  ours,  in  that  it  can  capture  stream¬ 
processing  functions  that  are  not  necessarily  length-preserving  (ours  are,  because  of  synchrony  of  inputs  and 
outputs).  On  the  other  hand,  Broy  uses  the  more  standard  definitions  of  refinement  as  logical  implication 
(trace  inclusion)  and  composition  as  composition  of  relations. 

In  Dill’s  trace  theory,  a  component  is  described  using  a  pair  of  sets  of  traces,  for  legal  and  illegal  behaviors, 
respectively  {successes  and  failures)  [18].  The  theory  distinguishes  between  input  and  output  symbols,  but 
does  not  impose  synchrony  of  inputs  and  outputs,  since  one  of  its  goals  is  to  capture  asynchronous  circuits. 
Dill’s  theory  includes  an  explicit  notion  of  environment,  as  the  “mirror”  of  a  trace  structure  with  input  and 
output  symbols  reversed.  Refinement  (called  conformation)  in  that  theory  induces  a  lattice. 

Like  trace  structures,  the  framework  of  interface  automata  [14]  also  has  an  asynchronous,  operational 
flavor.  It  can  capture  input-output  relations,  but  in  a  more  explicit  or  enumerative  manner.  Our  framework 
is  of  a  more  declarative,  denotational  and  symbolic  nature.  I/O  automata  [34]  are  also  related,  but  are  by 
definition  input-complete. 

Interface  theories  are  naturally  related  to  work  on  compositional  verification,  where  the  main  purpose  is 
to  break  down  the  task  of  checking  correctness  of  a  large  model  into  smaller  tasks,  that  are  more  amenable 
to  automation.  A  very  large  body  of  research  exists  on  this  topic.  Some  of  this  work  is  based  on  an 
asynchronous,  interleaving  based  concurrency  model,  e.g.,  see  [39,  45,  27],  some  on  a  synchronous  model, 
e.g.,  see  [22,  36],  while  others  are  done  within  a  temporal  logic  framework,  e.g.,  see  [6,  1].  Many  of  these 
works  are  based  on  the  assume-guarantee  paradigm,  and  they  typically  use  some  type  of  trace  inclusion  or 
simulation  as  refinement  relation,  e.g.,  see  [26,  45,  43,  23]. 

[15]  defines  relational  nets,  which  are  networks  of  processes  that  non-deterministically  relate  input  values 
to  output  values.  [15]  does  not  provide  an  interface  theory  for  the  complete  class  of  relational  nets.  Instead 
it  provides  interface  theories  for  subclasses,  in  particular:  rectangular  nets  which  have  no  input-output 
dependencies;  total  nets  which  can  have  input-output  dependencies  but  are  input-complete;  and  total  and 
rectangular  nets  which  combine  both  restrictions  above.  The  interfaces  provided  in  [15]  for  rectangular 
nets  are  called  assume/ guarantee  (A/G)  interfaces.  A/G  interfaces  form  a  strict  subclass  of  the  relational 
interfaces  that  we  consider  in  this  paper:  A/G  interfaces  separate  the  assumptions  on  the  inputs  from  the 
guarantees  on  the  outputs,  and  as  such  cannot  capture  input-output  relations;  on  the  other  hand,  every 
A/G  contract  can  be  trivially  captured  as  a  relational  contract  by  taking  the  conjunction  of  the  assume 
and  guarantee  parts.  [15]  studies  stateless  A/G  interfaces,  while  [19]  studies  also  stateful  A/G  interfaces, 
in  a  synchronous  setting  similar  to  the  one  considered  in  this  paper.  [19]  also  discusses  extended  interfaces 
which  are  essentially  the  same  as  the  relational  interfaces  that  we  study  in  this  paper.  However,  difficulties 
with  synchronous  feedback  loops  (see  discussion  below)  lead  [19]  to  conclude  that  extended  interfaces  are 
not  appropriate. 

[13]  considers  synchronous  Moore  interfaces,  defined  by  two  formulas  (pi  and  ipo  that  specify  the  legal 
values  of  the  input  and  output  variables,  respectively,  at  the  next  round,  given  the  current  state.  This 
formulation  does  not  allow  to  describe  relations  between  inputs  and  outputs  within  the  same  round,  as  our 
relational  theory  allows. 

Both  [15]  and  [19]  can  handle  very  general  compositions  of  interfaces,  that  can  be  obtained  via  parallel 
composition  and  arbitrary  connection  (similar  to  the  denotational  composition  framework  of  [29]).  This 
allows,  in  particular,  arbitrary  feedback  loops  to  be  created.  In  a  relational  framework,  however,  synchronous 
feedback  loops  can  be  problematic,  as  discussed  in  Example  13  (see  also  Section  12). 
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3  Preliminaries,  notation 

We  use  first-order  logic  (FOL)  notation  throughout  the  paper.  For  an  introduction  to  FOL,  see,  for  in¬ 
stance,  [46].  We  use  true  and  false  for  logical  constants  true  and  false,  A,  V,  — =  for  logical  negation,  con¬ 
junction,  disjunction,  implication,  and  equivalence,  and  3  and  V  for  existential  and  universal  quantification, 
respectively.  We  use  :=  when  defining  concepts  or  introducing  new  notation:  for  instance,  Xq  :=  max{l,  2, 3} 
defines  xq  to  be  the  maximum  of  the  set  {1,2,3}. 

Let  1^  be  a  finite  set  of  variables.  A  property  over  14  is  a  FOL  formula  </>  such  that  any  free  variable  of 
(j)  is  in  V.  The  set  of  all  properties  over  V  is  denoted  T{V).  Let  </>  be  a  property  over  V  and  V  be  a  finite 
subset  of  V,  V  =  {ui,U2,  Then,  314'  :  (f)  is  shorthand  for  dui  :  3v2  ■  ■■■  ■  3z;„  :  (j).  Similarly,  VW  :  (j)  is 

shorthand  for  Vui  :  Vu2  :  ...  :  Vu„  :  4>- 

We  will  implicitly  assume  that  all  variables  are  typed,  meaning  that  every  variable  is  associated  with  a 
certain  domain.  An  assignment  over  a  set  of  variables  14  is  a  (total)  function  mapping  every  variable  in  14 
to  a  certain  value  in  the  domain  of  that  variable.  The  set  of  all  assignments  over  14  is  denoted  A{V).  If 
a  is  an  assignment  over  Vi  and  h  is  an  assignment  over  142,  and  14i,142  are  disjoint,  we  use  (a,  6)  to  denote 
the  combined  assignment  over  V}  U  142.  A  formula  (p  is  satisfiable  iff  there  exists  an  assignment  a  over  the 
free  variables  of  (p  such  that  a  satisfies  (p,  denoted  a  \=  p.  A  formula  p  is  valid  iff  it  is  satisfied  by  every 
assignment. 

There  is  a  natural  mapping  from  formulas  to  sets  of  assignments,  that  is,  from  iF{V)  to  2-^^')  ^  jn 
particular,  a  formula  p  S  iF{V)  can  be  interpreted  as  the  set  of  all  assignments  over  V  that  satisfy  p. 
Conversely,  we  can  map  a  subset  of  A{V)  to  a  formula  over  14,  provided  this  subset  is  representable  in  FOL. 
Because  of  this  correspondence,  we  use  set-theoretic  or  logical  notation,  as  is  more  convenient.  For  instance, 
if  p  and  p'  are  formulas  or  sets  of  assignments,  we  write  p  A  p'  or  pd  p'  interchangeably. 

If  S'  is  a  set,  S*  denotes  the  set  of  all  finite  sequences  of  elements  of  S.  S*  includes  the  empty  sequence, 
denoted  e.  If  s,s'  G  S*,  then  s  •  s'  is  the  concatenation  of  s  and  s',  jsj  denotes  the  length  of  s  G  S*,  with 
jej  =  0  and  |s  •  a|  =  jsj  -I-  I,  for  a  G  S.  If  s  =  0102  •  •  •  a„,  then  the  i-th  element  of  the  sequence,  Oi,  is  denoted 
Si,  for  z  =  1, ...,  n.  A  prefix  of  s  G  S*  is  a  sequence  s'  G  S*  such  that  there  exists  s"  G  S*  such  that  s  =  s'  ■  s" . 
We  write  s'  <  s  if  s'  is  a  prefix  of  s.  s'  <  s  means  s'  <  s  and  s'  s.  A  subset  L  C  S'*  is  prefix-closed  if  for 
all  s  G  L,  for  all  s'  <  s,  s'  G  L. 


4  Relational  interfaces 

Definition  1  (Relational  interface)  A  relational  interface  (or  simply  interface}  is  a  tuple  I  =  {X,Y,f) 
where  X  and  Y  are  two  finite  and  disjoint  sets  of  input  and  output  variables,  respectively,  and  f  is  a 
non-empty,  prefix-closed  subset  of  A{X  U  F)*. 

We  write  lnVars(/)  for  X,  OutVars(/)  for  Y  and  /(/)  for  /.  We  allow  A  or  F  to  be  empty:  if  X  is  empty 
then  /  is  a  source  interface;  if  Y  is  empty  then  /  is  a  sink.  An  element  of  A{X  U  Y)*  is  called  a  state.  That 
is,  we  identify  states  with  observation  histories.  The  initial  state  is  the  empty  sequence  e.  The  states  in  / 
are  also  called  the  reachable  states  of  I.  f  defines  a  total  function  that  maps  a  state  to  a  set  of  input-output 
assignments.  We  use  the  same  symbol  /  to  refer  to  this  function.  For  s  G  A{X  U  Y)* ,  f{s)  is  defined  as 
follows: 

/(s)  :=  {a  G  A{X  UY)  \  s  ■  a  G  f}. 

We  view  /(s)  as  a  contract  between  a  component  and  its  environment  at  that  state.  The  contract  changes 
dynamically,  as  the  state  evolves. 

Conversely,  if  we  are  given  a  function  /  :  A{XUY)*  we  can  define  a  non-empty,  prefix-closed 

subset  of  A{X  U  F)*  as  follows: 

/  :=  (oi  •  •  •  Ofe  I  Vz  =  1, ...,  k  :  Oi  G  f{ai  ■  ■  ■  Oi-i)} 

Notice  that  e  G  f  because  the  condition  above  trivially  holds  for  k  =  0.  Also  note  that  if  s  ^  /  then  f{s)  =  0. 
This  is  because  /  is  prefix-closed. 
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Because  of  the  above  1-1  correspondence,  in  the  sequel,  we  treat  /  either  as  a  subset  of  A{X  U  Y)*  or  as 
a  function  that  maps  states  to  contracts,  depending  on  what  is  more  convenient.  We  will  assume  that  /(s) 
is  representable  by  a  FOL  formula.  Therefore,  /(s)  can  be  seen  also  as  an  element  of  T{X  U  Y). 

Definition  2  (Input  assumptions)  Given  a  contract  (f)  G  T(X  U  Y),  the  input  assumption  of  (p  is  the 
formula  in((/))  :=  3Y  :  p.  Note  that  in(()))  is  a  property  over  X .  Also  note  that  (p  in(()))  is  a  valid  formula 
for  any  (p. 

A  relational  interface  I  =  {X,  Y,  /)  can  be  seen  as  specifying  a  game  between  a  component  and  its 
environment.  The  game  proceeds  in  a  sequence  of  rounds.  At  each  round,  an  assignment  a  G  A{X  U  Y)  is 
chosen,  and  the  game  moves  to  the  next  round.  Therefore,  the  history  of  the  game  is  the  sequence  of  rounds 
played  so  far,  that  is,  a  state  s  G  A{X  U  Y)*.  Suppose  that  at  the  beginning  of  a  round  the  state  is  s.  The 
environment  plays  first,  by  choosing  ax  G  A{X).  If  ax  ^  iri(/(s))  then  this  is  not  a  legal  input  and  the 
environment  loses  the  game.  Otherwise,  the  component  plays  by  choosing  ay  G  A{Y).  If  (ojc,ov)  ^  /(s) 
then  this  is  not  a  legal  output  for  this  input,  and  the  component  loses  the  game.  Otherwise,  the  round  is 
complete,  and  the  game  moves  to  the  next  round,  with  new  state  s  ■  (ox,  ciy). 

An  input- complete  interface  is  one  that  does  not  restrict  its  inputs: 

Definition  3  (Input-complete  interface)  An  interface  I  =  (A,  Y,  f)  is  input-complete  if  for  all  s  G 
A(X  uy)*,  in(/(s))  is  valid. 

A  deterministic  interface  is  one  that  maps  every  input  assignment  to  at  most  one  output  assignment: 

Definition  4  (Determinism)  An  interface  I  =  {X,  Y,  /)  is  deterministic  if  for  all  s  G  f,  for  all  ax  £ 
in(/(s)),  there  is  a  unique  ay  G  A{Y)  such  that  (ax,  ay)  G  f(s). 

The  specializations  of  our  theory  to  input-complete  and  deterministic  interfaces  are  discussed  in  Sec¬ 
tions  10  and  11,  respectively. 

A  stateless  interface  is  one  where  the  contract  is  independent  from  the  state: 

Definition  5  (Stateless  interface)  An  interface  I  =  (X,Y,f)  is  stateless  if  for  all  s,s'  G  A(X  U  Y)* , 

/(s)  =  /(s')- 

For  a  stateless  interface,  we  can  treat  f  as  a  subset  of  A{X  U  Y)  instead  of  a  subset  of  A(X  U  Y)*.  For 
clarity,  if  I  is  stateless,  we  write  /  =  (X,  Y,  p),  where  p  is  a  property  over  X  UY. 

Example  1  Consider  a  component  which  is  supposed  to  take  as  input  a  positive  number  n  and  return  n 
or  n  1  as  output.  We  can  capture  such  a  component  in  different  ways.  One  way  is  to  use  the  following 
stateless  interface: 

h  :=  ({x},{y},x  >t)A(y  =  xy  y  =  x+  1)}). 

Here,  x  is  the  input  variable  and  y  is  the  output  variable.  The  contract  of  Ii  explicitly  forbids  zero  or  negative 
values  for  x.  Indeed,  we  have  in(/i)  =  a;  >  0. 

Another  possible  stateless  interface  for  this  component  is: 

h  ■=  ({2;},  {y},  x>0^{y  =  xyy  =  x-\- 1)}). 

The  contract  of  I2  is  different  from  that  of  ff:  it  allows  a;  <  0,  but  makes  no  guarantees  about  the  output  y 
in  that  case.  I2  is  input- complete,  whereas  Ii  is  not.  Both  and  I2  are  non- deterministic. 

In  general,  the  state  space  of  an  interface  is  infinite.  In  some  cases,  however,  only  a  finite  set  of  states  is 
needed  to  specify  /.  In  particular,  /  may  be  specified  by  a  finite-state  automaton: 
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Definition  6  (Finite-state  interface)  A  finite-state  interface  is  specified  by  a  finite-state  automaton  M  = 
{X,Y,  L,£q,C,T).  X  and  Y  are  sets  of  input  and  output  variables,  respectively.  L  is  a  finite  set  0/ locations 
and  £0  £  L  is  the  initial  location.  C  :  L  ^  is  a  labeling  function  that  labels  every  location  with  a 

set  of  assignments  over  X  UY,  the  contract  at  that  location.  T  G  L  x  x  L  is  a  set  0/ transitions.  A 

transition  t  £  T  is  a  tuple  t  =  {£,  g,  £!')  where  £,  £'  are  the  source  and  destination  locations,  respectively,  and 
g  C  A{X  U  F)  is  the  guard  of  the  transition.  We  require  that,  for  all  £  £  L: 

C{£)  =  U  5  (1) 

{£g,e')eT 

{(-i92,£2)  &  T  :  £i  £2  gi  92  =  ^  (2) 

These  conditions  ensure  that  there  is  a  unique  outgoing  transition  for  every  assignment  that  satisfies  the 
contract  of  the  location.  Given  a  £  C{£),  the  a-successor  of  £  is  the  unique  location  £!  for  which  there  exists 
transition  (£,  g,  £')  such  that  a  £  g.  A  location  £  is  called  reachable  if,  either  £  =  £0,  or  there  exists  a  reachable 
location  £' ,  a  transition  {£' ,g,£),  and  an  assignment  a  such  that  £  is  the  a-successor  of  £' . 

M  defines  interface  I  =  {X,  Y,  f)  where  f  is  the  set  of  all  sequences  ai  -  ■  ■  au  £  A{X  U  Y)* ,  such  that  for 
all  i  =  1,  ...,k,  Oi  £  C{£i-i),  where  £i  is  the  ai-successor  of  £i_i. 

Note  that  a  finite-state  interface  can  still  have  variables  with  infinite  domains.  Also  notice  that  we  allow 
C{£),  the  contract  at  location  £,  to  be  empty.  This  simply  means  that  the  interface  is  not  well- formed  (see 
Definition  7  that  follows).  Finally,  although  the  guard  of  an  outgoing  transition  from  a  certain  location  must 
be  a  subset  of  the  contract  of  that  location,  we  will  often  abuse  notation  and  violate  this  constraint  in  the 
examples  that  follow,  for  the  sake  of  simplicity.  Implicitly,  all  guards  should  be  understood  in  conjunction 
with  the  contracts  of  their  source  locations. 

It  is  also  worth  noting  that  although  the  finite-state  automaton  defining  a  finite-state  interface  is  de¬ 
terministic,  this  does  not  mean  that  the  interface  itself  is  deterministic.  Indeed,  in  general,  it  is  not,  since 
contracts  that  label  locations  are  still  non-deterministic  input-output  relations. 

An  example  of  a  finite-state  interface  follows: 

Example  2  (Buffer)  Figure  1  shows  a  finite-state  automaton  defining  a  finite-state  interface  for  a  single¬ 
place  buffer.  The  interface  has  two  input  variables,  write  and  read,  and  two  output  variables,  empty  and  full. 
All  variables  are  boolean.  The  automaton  has  two  locations,  £0  (the  initial  location)  and  £\.  Each  location  is 
implicitly  annotated  by  the  conjunction  of  a  global  contract,  that  holds  at  all  location,  and  a  local  contract, 
specific  to  a  location.  In  this  example,  the  global  contract  specifies  that  the  buffer  cannot  be  both  empty  and 
full  (this  is  a  guarantee  on  the  outputs)  and  that  a  user  of  the  buffer  cannot  read  and  write  at  the  same  round 
(this  is  an  assumption  on  the  inputs).  The  global  contract  also  specifies  that  if  the  buffer  is  full  then  writing 
is  not  allowed,  and  if  the  buffer  is  empty  then  read  is  not  allowed.  Both  are  relational  specifications  that  link 
inputs  and  outputs.  The  local  contract  at  £0  states  that  the  buffer  is  empty  and  at  £\  that  it  is  full. 


Definition  7  (Well-formedness)  An  interface  I  =  {X,Y,f)  is  well-formed  iff  for  all  s  £  f,  f{s)  is  non¬ 
empty. 

Well- formed  interfaces  can  be  seen  as  describing  components  that  never  “deadlock”.  If  /  is  well- formed 
then  for  all  s  G  /  there  exists  assignment  a  such  that  s  ■  a  £  f.  Moreover,  /  is  non-empty  and  prefix-closed 
by  definition,  therefore,  e  £  f.  This  means  that  there  exists  at  least  one  state  in  /  which  can  be  extended  to 
arbitrary  length.  In  a  finite-state  interface,  checking  well-formedness  amounts  to  checking  that  the  contract 
of  every  reachable  location  of  the  corresponding  automaton  is  satisfiable.  If  contracts  are  specified  in  a 
decidable  logic,  checking  well-formedness  of  finite-state  interfaces  is  thus  decidable. 

Example  3  Let  I  be  the  finite-state  interface  represented  by  the  left-most  automaton  shown  in  Figure  2. 
I  is  assume  to  have  two  boolean  variables,  an  input  x,  and  an  output  y.  I  is  not  well-formed,  because  it 
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Figure  1:  Interface  for  a  buffer  of  size  1. 


has  reachable  states  with  contract  false  (all  states  starting  with  x  being  falsej.  I  can  be  transformed  into  a 
well-formed  interface  by  strengthening  the  contract  of  the  initial  state  from  true  to  x,  thus  obtaining  interface 
I'  shown  to  the  right  of  the  figure. 


true  false  x 


Figure  2:  A  well-formable  interface  I  and  its  well- formed  witness 


Example  3  shows  that  some  interfaces,  even  though  they  are  not  well- formed,  can  be  turned  into  well- 
formed  interfaces  by  appropriately  restricting  their  inputs.  This  motivates  the  following  definition: 

Definition  8  (Well-formability)  An  interface  I  =  {X,  Y,  f)  is  well-formable  if  there  exists  a  well-formed 
interface  I'  =  {X,Y,f')  (called  a  witness^  such  that:  for  all  s  G  f ,  f'{s)  =  f{s)  A  (fs,  where  4>s  is  some 
property  over  X. 

Lemma  1  Let  I  =  (A,  Y,  f)  be  a  well-formable  interface  and  let  I'  =  (A,  Y,  f)  be  a  witness  to  the  well- 
formability  of  I.  Then  f  C  /. 

Proof:  By  induction,  e  belongs  in  both  /  and  /'.  Suppose  s  ■  a  G  /'.  Thus  s  G  f .  By  the  induction 
hypothesis,  s  G  f.  From  s  •  a  S  /'  we  get  a  G  f'{s).  Since  f'{s)  =  f{s)  fl  we  have  a  G  f{s),  therefore 
s  -  aG  f.  m 

Clearly,  every  well-formed  interface  is  well-formable,  but  the  opposite  is  not  true  in  general,  as  Example  3 
shows.  For  stateless  or  source  interfaces,  however,  the  two  notions  coincide: 

Theorem  1  A  stateless  or  source  interface  I  is  well-formed  iff  it  is  well-formable. 

Proof:  Well-formedness  implies  well-formability  for  all  interfaces.  For  the  converse,  let  I  =  (A,  Y,  f)  be  a 
well-formable  interface.  Then  there  exists  a  witness  I'  =  (A,  Y,  /')  such  that  I'  is  well-formed. 

First,  suppose  that  I  is  stateless.  Then  f{s)  =  f{e)  for  any  s.  Since  /'  is  a  witness,  f'{e)  =  /(e)  A  </>£, 
for  some  property  (j)g  over  A.  Since  /'  is  well- formed,  /'(e)  is  non-empty,  thus,  /(e)  is  also  non-empty,  thus, 
so  is  /(s)  for  any  s. 

Second,  suppose  that  /  is  a  source,  that  is,  A  =  0.  Since  /'  is  a  witness,  for  any  state  s,  f'{s)  =  f{s)  A  (fs, 
where  (fs  is  a  property  over  A.  Since  A  is  empty,  cfs  can  be  either  true  or  false.  Since  /'(s)  is  non-empty,  (fs 


must  be  true  for  any  s.  Therefore,  /(s)  =  f'{s)  for  any  s,  thus,  /(s)  is  non-empty  for  all  s. 


For  an  interface  that  is  finite-state  and  whose  contracts  are  written  in  a  logic  for  which  satisfiability  is 
decidable,  there  is  an  algorithm  to  check  whether  the  interface  is  well-formable,  and  if  this  is  the  case,  to 
transform  it  into  a  well-formed  interface.  The  algorithm  essentially  attempts  to  find  a  winning  strategy  in 
a  game,  and  as  such  is  similar  in  spirit  to  algorithms  proposed  in  [14].  The  algorithm  starts  by  marking  all 
locations  with  unsatisfiable  contracts  as  illegal.  Then,  a  location  £  is  chosen  such  that  i  is  legal,  but  has  an 
outgoing  transition  {£,g,£'),  such  that  £'  is  illegal.  If  no  such  I  exists,  the  algorithm  stops.  Otherwise,  the 
contract  of  I  is  strengthened  to 


C{£)  :=  CW  A  (VF  :  C(£)  ^ -5)  (3) 

VF  :  C{£)  ^  ^g  IS,  &  property  on  X .  An  input  assignment  ax  satisfies  this  formula  iff,  for  any  possible  output 
assignment  ay  that  the  contract  C{£)  can  produce  given  ax,  the  complete  assignment  {ax,  ay)  violates  g. 
This  means  that  there  is  a  way  of  restricting  the  inputs  at  i,  so  that  £'  becomes  unreachable  from  1.  Notice 
that,  in  the  special  case  where  g  is  a  formula  over  X,  (3)  simplifies  to  C{t)  :=  C{£)  A  -^g. 

If,  during  the  strengthening  process,  the  contract  of  a  location  becomes  unsatisfiable,  this  location  is 
marked  as  illegal.  The  process  is  repeated  until  no  more  strengthening  is  possible,  whereupon  the  algorithm 
stops.  Termination  is  guaranteed  because  each  location  has  a  finite  number  of  successor  locations,  therefore, 
can  only  be  strengthened  a  finite  number  of  times.  If,  when  the  algorithm  stops,  the  initial  location  £q  has 
been  marked  illegal,  then  the  interface  is  not  well-formed.  Otherwise,  the  modified  automaton  specifies  a 
well- formed  interface,  which  is  a  witness  for  the  original  interface. 

For  the  above  class  of  interfaces  there  is  also  an  algorithm  to  check  equality,  i.e.,  given  two  interfaces 
/i,/2,  check  whether  Ii  =  12-  Let  Mi  =  {X,Y,  Li,£Q^i,Ci,Ti)  be  finite-state  automata  representing  A,  for 
i  =  1,2,  respectively.  We  first  build  a  synchronous  product  M  :=  {X,Y,Li  x  L2L)  {£bad},  {£0, 1,(^0, 2),  C,T), 
where  C{£i,£2)  ■=  Ci{£i)  V  C2{£2)  for  all  {£i,£2)  €  Li  x  L2,  C{£bad)  ■=  false,  and: 

T  :=  {ii£y£2),iCli£l)  =  C2i£2))£^gl£^g2,{£[,£2))\{e^,9^,i^)  &T,,  for  z=  1,2} 

U{((4,f2),Ci(£i)^C2(£2),4ad)}  (4) 

It  can  be  checked  that  Ii  =  I2  iff  location  £bad  is  unreachable. 


5  Composition 

We  define  two  types  of  composition:  by  connection  and  by  feedback. 

5.1  Composition  by  connection 

First,  we  can  compose  two  interfaces  Ii  and  I2  “in  sequence”,  by  connecting  some  of  the  output  variables 
of  Ii  to  some  of  the  input  variables  of  I2.  One  output  can  be  connected  to  many  inputs,  but  an  input  can 
be  connected  to  at  most  one  output.  Parallel  composition  is  a  special  case  of  composition  by  connection, 
where  the  connection  is  empty.  The  connections  define  a  new  interface.  Thus,  the  composition  process  can 
be  repeated  to  yield  arbitrary  (for  the  moment,  acyclic)  interface  diagrams.  Composition  by  connection  is 
associative  (Theorem  3),  so  the  order  in  which  interfaces  are  composed  does  not  matter. 

Two  interfaces  I  =  {X,Y,f)  and  I'  =  {X'  ,Y' ,  f)  are  called  disjoint  if  they  have  disjoint  sets  of  input 
and  output  variables:  (A  U  F)  n  {X'  U  F')  =  0. 

Definition  9  (Composition  by  connection)  Let  Ii  =  {Xi,Yi,  fi),  fori  =  1,2,  be  two  disjoint  interfaces. 
A  connection  9  between  Ii,l2,  is  a  finite  set  of  pairs  of  variables,  0  =  {{yi,Xi)  \  i  =  l,...,m},  such  that:  (1) 
y{y,x)  G  9  :  y  G  Yi  A  X  G  X2,  and  (2)  there  do  not  exist  {y,x),  {y' ,x)  G  9  such  that  y  and  y'  are  distinct. 
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Define: 


OutVars(6»)  :=  {y\3{y,x)e0}  (5) 

lnVars(0)  :=  {x\3{y,x)G6}  (6) 

Xen.j,)  :=  (Xi  U  X2)  \  lnVars(0)  (7) 

:=  Fi  U  Fa  U  lnVars(0)  (8) 


The  connection  0  defines  the  composite  interface  0{Ii,l2)  '■=  ^e(/i,/2)! /);  where,  for  every  s  G 

f(s)  ■=  /i(si)  A /2(s2)  A  pe  A  VFe(/j_72)  :  ^ 

^  :=  (/i(si)  A  pe) ->  in(/2(s2))  (9) 

Pe  ■■=  /\  y  =  x 

{y,x)ee 


and,  for  i  =  1,2,  Si  is  defined  to  be  the  projection  of  s  to  variables  in  U  F. 


Note  that  U  Ygi^j^j^-^  =  U  Fi  U  F2  U  F2.  Also  notice  that  lnVars(0)  C  A2.  This  implies  that 

Xi  C  j^))  that  is,  every  input  variable  of  Ii  is  also  an  input  variable  of  0{li,  F)- 

Definition  9  may  seem  unnecessarily  complex  at  first  sight.  In  particular,  the  reader  may  doubt  the 
necessity  of  the  term  VFe(7j  7^)  :  <&,  in  the  definition  of  /(s).  Informally  speaking,  this  term  states  that, 
no  matter  which  outputs  Ii  chooses  to  produce  for  a  given  input,  all  such  outputs  are  legal  inputs  for  F- 
This  condition  is  essential  for  the  validity  of  our  interface  theory.  Omitting  this  condition  would  result 
in  a  fundamental  property  of  the  theory,  namely,  preservation  of  refinement  by  composition  (Theorem  13) 
not  being  true,  as  will  be  explained  in  Example  17.  Because  of  this  condition,  composition  by  connection 
does  not  correspond  to  composition  of  relations,  except  in  the  special  case  when  Ii  is  deterministic  -  see 
Theorem  28  of  Section  11. 

For  finite-state  interfaces,  connection  is  computable.  Let  Mi  =  {Xi,Yi,  Li,£Q  i,Ci,Ti)  be  finite-state 
automata  representing  fi,  for  i  =  1,2,  respectively.  The  composite  interface  can  be  represented 

as  M  :=  x  L2,  (4,i,  4,2),  C”,  T),  where  C{ii,t.2)  is  defined  as  /(s)  is  defined  in  (9), 

replacing  ffiii)  by  Ci{£i),  and  T  is  defined  as  follows: 

T  :=  {((F,4),5iA52,(^'i,4))l(^*,ff*,4)€F,  fori  =  l,2}  (10) 


That  is,  M  is  essentially  a  synchronous  product  of  Mi,  M2. 

A  connection  0  is  allowed  to  be  empty.  In  that  case,  pg  =  true,  and  the  composition  can  be  viewed  as  the 
parallel  composition  of  two  interfaces.  If  0  is  empty,  we  write  Ii\\l2  instead  of  0{li,  F)-  As  may  be  expected, 
the  contract  of  the  parallel  composition  at  a  given  global  state  is  the  conjunction  of  the  original  contracts 
at  the  corresponding  local  states,  which  implies  that  parallel  composition  is  commutative: 

Lemma  2  Consider  two  disjoint  interfaces,  fi  =  {Xi,Yi,  fi),  i  =  1,2.  Then  hWh  =  {Xi  U  A2,Fi  U  F2,/), 
where  f  is  such  that  for  all  s  G  A{Xi  U  A2  U  Fi  U  F2)*,  /(s)  =  /i(si)  A  /2(s2),  where,  for  i  =  1,2,  Si  is  the 
projection  of  s  to  XiUYi. 


Proof:  Following  Definition  9,  we  have: 

/1II/2  =  (AiUX2,FiUF2,/) 

where  for  all  s  G  A{Xi  U  A2  U  Fi  U  F2)* 

f{s)  =  /i(si)  A  /2(S2)  A  (VFi  U  F2  :  /i(si)  in(/2(s2))) 
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Observe  that  in(/2(s2))  is  a  formula  over  X2,  that  is,  does  not  depend  on  Yi  U  Y2.  Therefore, 

(VYi  U  Y2  :  /i(si)  ^  in(/2(s2)))  =  U  Y2  :  /i(si)  A  ^in(/2(s2)))  = 

^(^in(/2(s2))  A  3Yi  U  Y2  :  /i(si))  =  (in(/2(s2))  V  -^3Yi  U  Y2  :  /i(si)) 

Now,  observe  that  (j)  in((/<)  is  a  valid  formula  for  any  Therefore,  f2{s2)  in(/2(s2))  ^  in(/2(s2))  V 

^3Yi  U  Y2  :  /i(si),  which  gives 

(/i(si)  A  /2(s2)  A  VFi  UY2  :  /i(si)  ^  in(/2(s2)))  =  (/i(si)  A  /2(s2)) 


Theorem  2  (Commutativity  of  parallel  composition)  Let  Ii  and  I2  be  two  disjoint  interfaees.  Then: 

Il\\l2=l2\\Il. 

Proof:  Follows  from  Lemma  2.  ■ 


Theorem  3  (Associativity  of  connection)  Let  Ii,  12, 13  be  pairwise  disjoint  interfaees.  Let  612  be  a  eon- 
neetion  between  Ii,l2,  (^13  a  conneetion  between  Ii,l3,  and  623  a  eonneetion  between  hjh-  Then: 

(012  U  013)  {h,  023(12, 13))  =  (^13  U  023)  {0i2{Ii,  I2),  I3)  ■ 

Proof:  For  simplicity  of  notation,  we  conduct  the  proof  assuming  the  interfaces  are  stateless.  The  proof  is 
almost  identical  for  general  interfaces,  except  that  /(s)  replaces  </>,  f'{s)  replaces  cf' ,  and  so  on. 

Suppose  the  setting  is  as  illustrated  in  Figure  3.  That  is,  Ii  =  (Ai,  Yi  U  Y12  U  Yi3,(/)i);  L2  =  (A2  U 
Ai2,T2  U  Y23,(I)2)',  I3  =  (A3  U  Ai3  U  A23 ,  F3 ,  ^<>3 ) ;  and  0i2  connects  An  and  F12;  0i3  connects  A13  and  Y13; 
023  connects  A23  and  123- 

Our  first  step  is  to  clearly  express  what  the  definitions  tell  us  about  I  :=  (0i2  U  013)  (/i,  023(^2,  ^3))  and 
I'  ■=  {O13  U  O23)  {9i2{Il,l2),l3)- 

For  simplicity,  we  will  use  the  notation  pg  to  refer  to  /\^y  y  =  x.  We  also  refer  to  the  outputs  of 
^12(Ai)  I2)  as  P  =  Yi  U  Yi2  U  Y13  U  A12  U  T2  U  T23  and  the  outputs  of  623(12, 13)  &s  Q  =  Y2  U  Y23  U  A23  U  Y3 
and  the  overall  outputs  as  O  =  Fi  U  F2  U  >3  U  Y12  U  F13  U  I23  U  A12  U  A13  U  A23. 

The  definitions  are  as  follows: 

0i2(Ii,  I2)  =  (Ai  U  A2,  P,  ^1  A  (/)2  A  a  VP  :  (fi  A  p6ii2  ^  '^(^2)) 

623(12, 13)  =  (A2  U  A12  U  A3  U  Ai3,  Q,  (/)2  A  03  A  P6»23  a  VQ  :  02  A  pg^^  in(03)) 

Let  012  and  023  be  the  contracts  of  612(11,12)  and  623(12,13),  respectively.  Then: 

I  =  (Ai  U  A2  U  A3,  0, 012  A  03  A  A  P6»23  a  VO  :  0i2  A  pg^^  A  pg^^  in(03)) 

/'  =  (Ai  U  A2  U  A3,  0, 01  A  023  A  pg^^  A  P6»i3  a  VO  :  0i  A  pg^^  A  ^§^3  — >  in(023)) 

Let  0  and  0'  be  the  contracts  of  I  and  respectively.  Simplifying,  we  get: 

0  =  01  A  02  A  03  A  pe  A  (VP  :  0i  A  pg^^  in(02))  A  (VO  :  0i2  A  pg^,,  A  pg.,„  in(03)) 

0'  =  01  A  02  A  03  A  pe  A  (VQ  :  02  A  pg.^,^  in(03))  A  (VO  :  0i  A  pg^^  A  pg^,^  in(023)) 

In  order  to  simplify  discussion,  we  will  name  the  subformulae  as  follows: 

0:=  VP  :  01  A  pei3  ^  in(02) 

D  ■■=  VO  :  012  A  pe33  A  pg^^  in(03) 

E  ■.=  VQ  :  02  A  pg^^  in(03) 

P  :=  VO  :  01  A  pg^^  A  pg^^  in(023) 
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In  order  to  prove  equivalence  of  /  and  we  need  to  prove  that  the  following  four  formulae  are  valid: 

(j)  —>  E,  (j>  ^  F,  (j)'  ^  C,  and  (j)'  D 

Proof  of  (/)  — >  E:  Let  {x,  q,  o)  be  an  arbitrary  assignment  such  that  {x,  q,  o)  |=  (j),  where  x  &  XiU  X^, 
q  €  Q,  and  o  G  0\Q.  We  want  to  show  that  {x,  q,o)  \=  E  (i.e.  {x,  o)  \=  E). 

Let  q'  be  an  arbitrary  assignment  over  Q  such  that  {x,  q',  o)  \=  4>2  We  want  to  show 

{x,  q',  o)  h  01  '/'2  A  pe  A  (VP  :  (j)i  A  in(02))- 

Clearly,  we  have  {x,  q',  o)  |=  02  A  pg^^  by  construction  of  q' .  We  also  have  {x,  o)  \=  (j)i  A  pg^^  A  pg^^  A  C  since 
no  free  variables  are  in  Q  are  and  {x,q,o)  ^  A.  Thus  by  D,  we  have  {x,q',o)  |=  in(03).  Thus  we  have 
(x,  o)  \=  E.  End  of  proof  of  </>  — >  P. 

Proof  of  (j)  ^  F:  Suppose  we  are  given  an  assignment  (x,  q,o)  \=  (j)  where  x  is  over  Xi  U  X2  U  X3,  q  is 
over  Q,  and  o  is  over  0\Q.  We  want  to  show  that  (x,  q,o)  \=  F  (i.e.  x  \=  F). 

Let  {q',o')  be  an  arbitrary  assignment  over  O  such  that  {x,q',o')  \=  /pi  A  pg^^  A  pg^^.  We  want  to  now 
show  that  {x,q',o')  ^  in((()23).  To  do  so,  we  first  expand  in(023): 

in(023)  =  3Q{(j)2  A  03  A  pg^^)  A  yQ{(j)2  A  pg^^  in(03)) 

Thus  we  can  reduce  the  proof  to  two  parts: 

(a)  (x,  o')  ^  3Q{(j)2  A(j)zA  pg^^),  and 

(b)  {x,  o')  h  VQ(^2  a  pg^^  in(03)) 

For  part  (a),  we  want  to  show  that  for  any  assignment  qa  over  Q:  {x,qa,o')  |=  (j)2Apg^^  {x,qa,o')  |=  in (^3). 

We  start  with  such  an  assignment  qa-  Combining  this  with  the  fact  that  {x,o')  |=  A  pg^,^  A  ^^23,  we  get 
(x,  ga,  o')  ^  01  A  02  A  pg.  Combined  with  the  fact  that  a;  |=  C,  we  get  {x,  qa,  o')  \=  (j)i  A  (j)2  A  pg  A  C .  This  is 
exactly  the  premise  of  D.  Since  x\=  D,  this  gives  us  {x,qa,o')  |=  in(03),  which  is  exactly  what  we  wanted 
to  prove. 

For  part  (b),  we  want  to  show  that  there  exists  an  assignment  over  Q  that  models  02  A  03  A  pg^,^.  For  our 
purposes,  we  will  divide  this  assignment  into  qY2  over  Y2  U  IVa,  qx3  over  X23,  and  qya  over  ^3.  First,  since 
a;  1=  C  and  {x,  o')  ^  0i  A  pg^,^  A  pg,^^  we  have  that  (x,  o')  \=  in(02).  Expanding  the  definition  of  in,  this  means 
that  31002-  Using  this  as  our  assignment  of  qY2,  we  have  that  {x,qY2,o')  ^  02-  We  can  set  the  values  of 
X23  to  those  of  103  in  order  to  get  an  assignment  of  qx3  that  satisfies  pg.^^ .  Combining  the  definition  of  o' 
with  the  assignments  to  qY2,  qx3  with  the  fact  that  x  \=  C,  gives  us: 

{x,  qY2,  qx3,  o')  h  (01  A  Pei2  A  pg^^)  A  (02  A  pg^^)  A  C 

Since  this  is  exactly  the  premise  of  D,  we  get  {x,qY2,qx3,o')  |=  in(03).  But  this  means  that  31003.  Using 
this  as  our  assignment  to  qY3,  we  get  (x,  qY2,  qx3,  qY3,  o')  |=  03.  Combining  the  terms  that  we  have  satisfied 
over  the  course  of  our  assignment,  we  get  (x,  qY2,  qx3,  9f3,  o')  |=  02  A  03  A  pg^^^,  which  is  what  we  wanted  to 
prove. 

Combining  our  results  from  part  (a)  and  part  (b)  we  get  (x,o')  ^  in(023).  Thus  {x,q,o)  ^  F.  End  of 
proof  of  0  ^  P. 

Proof  of  0'  ^  C:  Suppose  {x,p,o)  ^  B  where  x  G  U  X2  U  X3,  p  G  P,  and  o  €  0  \  P.  We  want  to 
show  that  {x,p,o)  |=  C  (i.e.  (x,  o)  \=  C). 

Let  p'  be  an  assignment  over  P  such  that  {x,p',o)  ^  0i  A  pg^^-  take  o'  over  0  \  P  such  that 

{x,p',  o')  ^  01  A  pe^2  A  Pei3-  This  can  be  done  by  setting  the  variables  of  F13  to  those  of  X13.  By  P,  we  have 
that  {x,p',o')  ^  in(023),  so  in  particular,  {x,p',o')  ^  in(02).  Since  in(02)  does  not  contain  free  variables  in 
0\P,  this  means  {x,p',  o)  ^  in(02).  Thus  we  have  (x,  o)  ^  C.  End  of  proof  of  0'  ^  C. 

Proof  of  0'  ^  D:  Suppose  (x,  o)  \=  0',  where  x  is  over  XiU  X2U  X3,  and  o  is  over  O. 

Let  o'  be  an  arbitrary  assignment  over  O  with  (x,  o')  |=  0i2  A  pg^^  A  pg^^.  Clearly  (x,  o')  ^  0i  A  pg^^  A  pg^^. 
By  P,  we  have  (x,  o')  ^  in(023).  But  this  also  means  that  (x,  o')  ^  in(03)  Thus  we  have  (x,  o)  ^  D.  End  of 
proof  of  0'  ^  P.  ■ 
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Figure  3:  Setting  used  in  the  proof  of  associativity. 


Example  4  Consider  the  diagram  of  stateless  interfaces  shown  in  Figure  4,  where: 

hd  ■■=  {{xi\,{yi},yi=  xi) 

I+ia  '■=  ({2^2};  {2/2};  +  1  ^  2/2  <  a;2  +  2) 

I<  ■■=  ({zi,Z2},{},Zi  <  Z2) 

This  diagram  can  he  modeled  as  any  of  the  two  following  equivalent  compositions: 

02{l+l,2,Ol{hd,I<))  =  {9lU62){{Cd\\I+l,2),I<) 
where  di  :=  {{yi,Zi)}  and  O2  :=  {(2/2,22)}. 

We  proceed  to  compute  the  contract  of  the  interface  defined  by  the  diagram.  It  is  easier  to  consider  the 
composition  {0i  \J02){{Iid\\I+i,2),I<)-  Define  03  :=  0i  U02.  From  Lemma  2  we  get: 

I^d\\I+l,2  =  ({a;i,a;2},  {2/1, 2/2},  2/i  =  a;i  A  0:2  +  1  <  2/2  <  2:2  +  2) 

Then,  for  03{{Iid\\I+i^2),I<),  Formula  (9)  gives: 

^  :=  (2/1  =  2:1  A  a;2  +  1  <  2/2  <  2:2  +  2  A  j/i  =  zi  A  2/2  =  22)  ^  2i  <  Z2 
By  quantifier  elimination,  we  get 


V2/i,2/2,2i,22  :  4*  =  xi  <  2:2  +  1 


therefore 

03{{Iid\\I+i),I<)  =  ({2:1, 2:2},  {2/1,2/2,21,22}, 

2/1  =  cci  A  2:2  +  1  <  2/2  <  2:2  +  2  A  2i  <  22  A  2/1  =  2i  A  2/2  =  22  A  2;i  <  2:2  +  1) 

Notice  that  in(03((/id||/_|_i), /<))  =  a;i  <  2:2  +  1.  That  is,  because  of  the  connection  0,  new  assumptions  have 
been  generated  for  the  external  inputs  xi,X2.  These  assumptions  are  stronger  than  those  generated  by  simple 
composition  of  relations,  which  are  xi  <  X2  +  2  in  this  case. 

A  composite  interface  is  not  guaranteed  to  be  well-formed,  neither  well-formable,  even  if  all  its  components 
are  well-formed: 

Example  5  Consider  the  composite  interface  03{{Iid\\I+i^2),  I<)  from  Example  4,  o,nd  suppose  we  connect 
its  open  inputs  xi,X2  to  outputs  vi,V2,  respectively,  of  some  other  interface  that  guarantees  vi  >  V2  +  1. 
Clearly,  the  result  is  false,  since  the  constraint  xi  >  X2  +  ^  f\  xi  <  2:2  -f  1  is  unsatisfiable. 
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Figure  4:  The  interface  diagram  of  Example  4. 


Contrary  to  other  works  [14,  15,  19],  we  do  not  impose  an  a-priori  compatibility  condition  on  connections. 
We  could  easily  impose  well-formedness  or  well-formability  as  a  compatibility  condition.  But  we  prefer  not 
to  do  so,  because  this  allows  us  to  state  more  general  results.  In  particular.  Theorem  13  holds  independently 
of  whether  the  connection  yields  a  well- formed  interface  or  not.  And  together  with  Theorems  11  and  12,  it 
guarantees  that  if  the  refined  composite  interface  is  well-formed/formable,  then  so  is  the  refining  one.  Having 
said  that,  compatibility  is  a  useful  concept  (see  discussion  in  Section  10),  therefore  we  define  it  explicitly. 

Definition  10  (Compatibility)  Let  /i,/2  be  two  disjoint  interfaces  and  9  a  connection  between  them. 
/i,/2  are  said  to  be  compatible  with  respect  to  9  iff  9{Ii,  I2)  is  well-formable. 

Checking  compatibility  of  two  finite-state  interfaces  can  be  effectively  done  by  first  computing  an  au¬ 
tomaton  representing  the  composite  interface  0(/i,  I2)  and  then  checking  well-formability  of  the  latter,  using 
the  algorithms  described  earlier. 

5.2  Composition  by  feedback 

Our  second  type  of  composition  is  feedback  composition,  where  an  output  variable  of  an  interface  I  is  con¬ 
nected  to  one  of  its  input  variables  x.  For  feedback,  I  is  required  to  be  Moore  with  respect  to  x.  The  term 
“Moore  interfaces”  has  been  introduced  in  [13].  Our  definition  is  similar  in  spirit,  but  less  restrictive  than 
the  one  in  [13].  Both  definitions  are  inspired  by  Moore  machines,  where  the  outputs  are  determined  by  the 
current  state  alone  and  do  not  depend  directly  on  the  input.  In  our  version,  an  interface  is  Moore  with 
respect  to  a  given  input  variable  x,  meaning  that  the  contract  may  depend  on  the  current  state  as  well  as 
on  input  variables  other  than  x.  This  allows  to  connect  an  output  to  x  to  form  a  feedback  loop  without 
creating  causality  cycles. 

Definition  11  (Moore  interfaces)  An  interface  I  =  {X,Y,f)  is  called  Moore  with  respect  to  x  G  X  iff 
for  all  s  G  f,  f{s)  is  a  property  over  {X  U  F)  \  {cc}.  I  is  called  simply  Moore  when  it  is  Moore  with  respect 
to  every  x  G  X. 

Example  6  (Unit  delay)  A  unit  delay  is  a  basic  building  block  in  many  modeling  languages  (including 
Simulink  and  SCADE).  Its  specification  is  roughly:  “output  at  time  k  the  value  of  the  input  at  time  k—  1;  at 
time  k  =  0  (initial  time),  output  some  initial  value  vq”.  We  can  capture  this  specification  as  an  interface: 


lud  ■ —  j  {y} T  f ud) , 


where  fud  is  defined  as  follows: 


fudis)  ■■=  {y  =  Vo) 
fud{s  ■  a)  :=  {y  =  a(x)) 

That  is,  initially  the  contract  guarantees  y  =  vq-  Then,  when  the  state  is  some  sequence  s  ■  a,  the  contract 
guarantees  y  =  a(x),  where  a(x)  is  the  last  value  assigned  to  input  x.  lud  is  Moore  (with  respect  to  its  unique 
input  variable)  since  all  its  contracts  are  properties  over  y  only. 
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Definition  12  (Composition  by  feedback)  Let  I  =  {X,Y,f)  be  a  Moore  interface  with  respect  to  some 
input  variable  x  &  X.  A  feedback  connection  k  on  I  is  a  pair  {y,x)  such  that  y  gY.  Define  '■=  {x  =  y). 
The  feedback  connection  k  defines  the  interface: 

k{I)  :=  (X\  {a;},r  U  {a;},/^)  (11) 

/k(s)  :=  /(s)APk,  for  all  s  G  A{X  UY)*  (12) 

For  finite-state  interfaces,  feedback  is  computable.  Let  M  =  {X,  Y,  L,  Iq,  C,  T)  be  a  finite-state  automaton 
representing  I.  First,  to  check  whether  M  represents  a  Moore  interface  w.r.t.  a  given  input  variable  x  G  X, 
it  suffices  to  make  sure  that  for  every  location  i  G  L,  C{£)  does  not  refer  to  x.  Then,  if  k  =  {y,x),  the 
interface  k{I)  can  be  represented  as  M'  :=  {X  \  {x},Y  U  {x},  L,  io^C' ^T),  where  C'{i)  :=  C{£)  Ax  =  y,  for 
all  i  G  L. 

Theorem  4  (Commutativity  of  feedback)  Let  L  =  {X,Y,f)  be  Moore  with  respect  to  both  Xi,X2  G  X, 
where  xi  X2-  Let  ki  =  {yi,xi)  and  K2  =  (2/2, 2^2)  be  feedback  connections.  Then 

ki{k2{I))  =  K2{ki{I)). 

Proof:  Following  Definition  12,  we  derive 

Ki{k2{1))  =  {X\{xi,X2},YU{Xi,X2},fl) 

K2{ki{I))  =  {X\{xi,X2},YU{Xi,X2},f2) 

where  for  all  s  G  A{X  U  Y)* 

his)  =  (/(s)  A  2/1  =  a:i  A  2/2  =  X2)  =  his) 


Let  K  he  a,  set  of  feedback  connections,  K  =  {ki,  ...,  k„},  such  that  Kj  =  {yi,  Xi),  and  all  Xi  are  pairwise 
distinct,  for  i  =  l,...,n.  Let  /  be  an  interface  that  is  Moore  with  respect  to  all  xi,...,Xn.  We  denote  by 
K{I)  the  interface  ki(k2(-  •  •  k„(J)  •■•)).  By  commutativity  of  feedback  composition,  the  resulting  interface 
is  independent  from  the  order  of  application  of  feedback  connections.  We  will  use  the  notation  InVars(iF)  := 
{xi  I  {yi,Xi)  G  K},  for  the  set  of  input  variables  connected  in  K. 

Theorem  5  (Commutativity  between  connection  and  feedback)  Let  L1A2  be  disjoint  interfaces  and 
let  6  be  a  connection  between  IiA2-  Let  Ki,K2  be  feedback  connections  on  h^h,  respectively,  such  that 
lnVars(K2)  H  lnVars(0)  =  0.  Then: 

i^ii^ili,  h)  =  diKiili),  I2)  and  K2(0(/i,  12)  =  K2(f^2))- 

Proof:  Let  li  =  {Xi,Yi,fi),  for  i  =  1,2.  Let  Ki  =  {yi,Xi),  for  i  =  1,2.  Then,  since  Ki  are  valid  feedback 
connections,  li  must  be  Moore  w.r.t.  Xi,  for  i  =  1,2. 

Claim  1:  ki(6»(/i,  12))  =  0(«;i(/i),  12) 

Since  9  only  changes  input  variables  of  J2  to  outputs,  and  Ki  only  changes  an  input  port  of  Ji  to  an  output, 
the  composition  of  these  two  connections  in  either  order  is  well  formed,  and  will  result  in  an  interface  with 
the  same  input  and  output  variables.  Thus,  it  remains  to  prove  that  the  resulting  contract  is  also  the  same. 
Let  us  call  the  contract  of  the  left  hand  side  fkt  and  of  the  right  hand  side  ftk  ■  For  simplicity  in  the  notation 
below,  we  will  also  name  ki  as  iy,x). 

ftkis)  =  ihis)  Ax  =  y)  A  his)  A  VFU  {x}  :  ((/i(s)  Ax  =  y  Ape)  ^  in(/2(s))) 

=  ihis)  Ax  =  y)  A  his)  A  VT  U  {x}  :  (^/i(s)  V  xfi^yV  ^peW  in(/2(s))) 

=  ifiis)  Ax  =  y)  A  his)  AyY  :  (^/i(s)  V  -^pg  V  in(/2(s))  VVa;  :  x  ^  y) 

=  ihis)  Ax  =  y)  A  his)  AYY  :  {^fi{s)  V  ^pg  y  \n{his))  V  false) 

=  his)  A  his)  A  Vr  :  iihis)  A  pg)  in(/2(s)))  Ax  =  y 

=  fkt is) 
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Claim  2:  K2{9{Ii,I2))  =  6{Ii,K2{I2)) 

Here  we  need  to  rely  on  the  assumption  lnVars(K2)  C  lnVars(0)  =  0  to  prove  that  the  composition  by  K2 
and  9  in  either  order  is  well  formed,  and  that  the  input  and  output  variables  of  the  resulting  interface  are 
the  same.  As  before,  we  will  name  the  left  hand  side  contract  fkt,  the  right  hand  side  contract  /(j,,  and  K2 
as  {y,x). 

ftk{s)  =  /i(s)  A  (/2(s)  Ax  =  y)  A  Vr  U  {x}  :  ((/i(s)  ^  pe)  in(/2(s)  Ax  =  y)) 

=  (/i(s)  /\x  =  y)  A  /2(s)  A  VF  :  ((/i(s)  A  pg)  3^2  U  {x}  :  (/2(s)  A  x  =  y)) 

=  (/i(s)  A  X  =  y)  A  /2(s)  A  VF  :  ((/i(s)  A  pg)  3F2  :  (/2(s)  A  3x  :  x  =  y)) 

=  (/i(s)  A  X  =  y)  A  /2(s)  A  VF  :  ((/i(s)  A  pg)  3Y2  :  (/2(s)  A  true)) 

=  /i(s)  A  /2(s)  A  VF  :  ((/i(s)  Ape)  in(/2(s)))  A  x  =  y 

=  fkt{s) 


Theorem  6  (Preservation  of  Mooreness  by  connection)  Let /i,/2  be  disjoint  interfaces  such  that  li  = 
fi),  fori  =  1,2.  Let  9  be  a  connection  between  Ii,l2- 

1.  If  Ii  is  Moore  w.r.t.  xi  €  Xi  then  9{Ii,l2)  is  Moore  w.r.t.  xi. 

2.  If  Ii  is  Moore  and  lnVars(0)  =  X2  then  6>(/i,  J2)  is  Moore. 

3.  If  I2  is  Moore  w.r.t.  X2  €  X2  and  X2  ^  lnVars(6>),  then  9{Ii,l2)  is  Moore  w.r.t.  X2. 

Proof: 

1.  The  contract  /  of  0(/i,/2)  is  defined  as  /(s)  :=  /i(si)  A  72(52)  A  pg  A  VFe(/j_72)  ■  where  := 
(/i(si)  A  pg)  — *■  in(/2(s2))-  Because  Ii  is  Moore  w.r.t.  xi,  /i(si)  does  not  refer  to  xi.  Because  I2  is 
disjoint  from  Li,  72(52)  does  not  refer  to  xi  either,  pg  refers  to  outputs  of  Li  and  inputs  of  I2,  thus 
does  not  refer  to  xi.  Because  none  of  7i(5i),  72(52)  or  pg  refer  to  xi,  does  not  refer  to  xi  either. 
Therefore,  f{s)  does  not  refer  to  xi,  thus  0(/i,/2)  is  Moore  w.r.t.  xi. 

2.  By  definition,  the  set  of  input  variables  of  the  composite  interface  9{Ii,l2)  is  Xg(^i^j^'j  =  {Xi  U  X2)  \ 
lnVars(0)  =  Xi.  By  hypothesis,  Li  is  Moore  w.r.t.  all  xi  G  Xi.  By  part  1,  9{Ii,l2)  is  also  Moore  w.r.t. 
all  Xi  G  Xi,  thus  0(/i,  12)  is  Moore. 

3.  Since  X2  ^  lnVars(0),  X2  is  an  input  variable  of  9{Ii,l2)  and  pg  does  not  refer  to  X2.  The  result  follows 
by  a  reasoning  similar  to  that  of  part  1. 


An  interesting  question  is  to  what  extent  and  how  to  transform  a  given  diagram  of  interfaces,  such  as  the 
one  shown  in  Figure  5,  to  a  valid  expression  of  interface  compositions.  This  cannot  be  done  for  arbitrary 
diagrams,  due  to  restrictions  on  feedback,  but  it  can  be  done  for  diagrams  that  satisfy  the  following  condition: 
every  dependency  cycle  in  the  diagram,  formed  by  block  connections,  must  visit  at  least  one  input  variable 
X  of  some  interface  I,  such  that  I  is  Moore  w.r.t.  x.  If  this  condition  holds,  then  we  say  that  the  diagram 
is  causal.  For  example,  the  diagram  in  Figure  5  is  causal  iff  Li  is  Moore  w.r.t.  X2  or  I2  is  Moore  w.r.t.  X4. 

We  can  systematically  transform  causal  interface  diagrams  into  expressions  of  interface  compositions  as 
follows.  First,  we  remove  from  the  diagram  any  Moore  connections.  A  connection  from  output  variable  y 
to  input  variable  x  is  a  Moore  connection  if  the  interface  /  where  x  belongs  to  is  Moore  w.r.t.  x.  Because 
the  original  diagram  is  by  hypothesis  causal,  the  diagram  obtained  after  removing  Moore  connections  is 
guaranteed  to  have  no  dependency  cycles.  This  acyclic  diagram  can  be  easily  transformed  into  an  expression 
involving  only  interface  compositions  by  connection.  By  associativity  of  connection  (Theorem  3),  the  order 
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Figure  5:  An  interface  diagram  with  feedback. 


in  which  these  connections  are  applied  does  not  matter.  Call  the  resulting  interface  Ic-  Then,  the  removed 
Moore  connections  can  be  turned  into  feedback  compositions,  and  applied  to  Ic-  Because  Mooreness  is 
preserved  by  connection  (Theorem  6),  Ic  is  guaranteed  to  be  Moore  w.r.t.  any  input  variable  x  that  is  the 
destination  of  a  Moore  connection.  Therefore,  the  above  feedback  compositions  are  valid  for  Ic-  Moreover, 
because  of  commutativity  of  feedback  (Theorem  4),  the  resulting  interface  is  again  uniquely  defined. 

Example  7  Consider  the  diagram  of  interfaces  shown  in  Figure  5-  Suppose  that  Ii  is  Moore  with  respect 
to  X2-  Then,  the  diagram  can  he  expressed  as  any  of  the  two  compositions 

k(9i{Ii,  (/2||d3))^  =  03^k{92{Ii,  h)) ,  h'j 

where  6i  :=  {(yi, 0:4),  (j/2, iCa)},  6*2  :=  {{ui.xa)},  63  :=  {(2/2, and  n  :=  iy4,X2)-  The  two  expres¬ 
sions  are  equivalent,  since,  by  Theorem  5,  ^3  ^«:(02(di,  12)) ,  ^3^  =  k(^93(^92{Ii,  h),  h)'^ ,  and  by  Theorem  3, 
9^{92{Ilj2),h)  =  9^{h,{l2\\h)). 


Lemma  3  Let  I  he  a  Moore  interface  with  respect  to  some  of  its  input  variables,  and  let  k  he  a  feedback 
connection  on  /.  Let  f  :=  /(/)  and  /„  :=  f(K{I))-  Then: 

1-  U  c  /. 

2-  For  any  s  G  /„,  \n{f,-{s))  =  in(/(s)). 

Proof:  Let  I  =  {X,Y,f)  be  Moore  w.r.t.  x  G  X-  Let  k  =  {y,x)- 

1.  Proof  is  by  induction  on  the  length  of  states.  Basis:  the  result  holds  for  the  empty  state  e,  because 
£  G  /  for  any  contract  /.  Induction  step:  let  s  •  a  G  /«.  Then  a  ^  /(s)  Ax  =  y,  thus  a  ^  /(s)-  s •  a  G  /« 
implies  s  G  /«,  thus,  by  the  induction  hypothesis,  s  G  /.  This  and  a  ^  /(s)  imply  s  •  a  G  f- 

2.  Let  k{I)  =  {X  \  {x},Y  U  {y},/^)-  Let  s  G  /«.  Note  that  in(/„(s))  =  in(/(s))  is  a  formula  over  X: 
in(/„(s))  is  a  formula  over  X  \  {cc}  and  in(/(s))  is  a  formula  over  X- 

To  show  that  in(/^(s))  — >  in(/(s))  is  valid,  we  need  to  show  that  every  assignment  over  X  that  satisfies 
in(/K(s))  also  satisfies  in(/(s)).  Consider  such  an  assignment  {a,p),  where  a  is  an  assignment  over 
X  \  {a:}  and  p  is  an  assignment  over  {cc}.  {a,p)  ^  in(/,^(s))  means  {a,p)  ^  3Y  U  {a;}  :  f{s)  Ax  =  y. 
Therefore,  there  exists  assignment  h  over  Y  U  {a;}  such  that  (a,  b)  |=  /(s)  A  x  =  y.  Let  b'  be  the 
restriction  of  b  to  Y.  We  claim  that  {a,p,b')  ^  /(s)-  Indeed,  since  /  is  Moore  w.r.t.  x,  f{s)  does 
not  depend  on  x,  therefore,  we  can  assign  any  value  to  x,  in  particular,  the  value  assigned  by  p. 
{a,p,b')  h  f{s)  implies  (a,p)  h  3E  :  f{s)  =  in(/(s)). 

To  show  that  in(/(s))  — >  in(/K(s))  is  valid,  we  need  to  show  that  every  assignment  over  X  that  satisfies 
in(/(s))  also  satisfies  in(/K(s)).  Consider  such  an  assignment  {a,p),  where  a  is  an  assignment  over 
X  \  {a;}  and  p  is  an  assignment  over  {a;}.  {a,p)  ^  in(/(s))  means  {a,p)  ^  3Y  :  f{s).  Therefore, 
there  exists  assignment  b  over  Y  such  that  {a,p,b)  \=  f{s)-  Let  p'  be  the  assignment  over  {a:}  such 
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that  p'{x)  :=  b{y).  Since  I  is  Moore  w.r.t.  x,  f{s)  does  not  depend  on  x,  therefore,  {a,p',b)  \=  f{s). 
Moreover,  {a,p',b)  \=  x  =  y,  therefore  {a,p',b)  ^  /(s)  Ax  =  y  =  /^(s).  This  implies  a  [=  3X  \  {x}  : 
/«(s)  =  in(/«,(s)).  Therefore  (a,p)  |=  in(/„(s)). 


Theorem  7  (Feedback  preserves  well-formedness)  Let  I  be  a  Moore  interface  with  respect  to  some  of 
its  input  variables,  and  let  k  be  a  feedback  connection  on  I .  If  I  is  well-formed  then  k{I)  is  well-formed. 

Proof:  Let  I  =  {X,Y,f)  and  k  =  {y,x).  Let  s  G  /(k(/)).  We  must  show  that  /(s)  A  x  =  y  is  satisfiable. 
By  part  1  of  Lemma  3,  s  G  /.  Since  I  is  well-formed,  /(s)  is  satisfiable.  Let  a  be  an  assignment  such 
that  a  ^  /(s).  Consider  the  assignment  a'  which  is  identical  to  a,  except  that  a'{x)  :=  a{y).  Since  /  is 
Moore  w.r.t.  x,  the  satisfaction  of  f{s)  does  not  depend  on  the  value  x.  Therefore,  a'  |=  /(s).  Moreover,  by 
definition,  a'  \=  x  =  y,  and  the  proof  is  complete.  ■ 

Feedback  does  not  preserve  well-formability: 

Example  8  Consider  a  finite-state  interface  If  with  two  states,  Sq  (the  initial  state)  and  Si,  one  input 
variable  x  and  one  output  variable  y.  If  remains  at  state  Sq  when  x  0  and  moves  from  Sq  to  Si  when 
X  =  0.  Let  4>o  ■=  y  =  0  be  the  contract  at  state  sq  and  let  <f>i  :=  false  be  the  contract  at  state  si.  If  is  not 
well-formed  because  (fi  is  unsatisfiable  while  state  si  is  reachable.  If  is  well-formahle,  however:  it  suffices 
to  restrict  4>q  to  4>'q  \=  y  =  Q  A  x  ^  Q.  Denote  the  resulting  (well-formed)  interface  by  1).  Note  that  If  is 
Moore  with  respect  to  x,  whereas  1)  is  not.  Let  n  be  the  feedback  connection  {y,x).  Because  If  is  Moore, 
K{If)  is  defined,  and  is  such  that  its  contract  at  state  Sq  is  y  =  0Ax  =  y,  and  its  contract  at  state  Si  is 
false  A  X  =  y  =  false.  k(//)  is  not  well-formable:  indeed,  y  =  0  A  x  =  y  implies  x  =  0,  therefore,  state  si 
cannot  be  avoided. 


6  Hiding 

As  can  be  seen  in  Example  4,  composition  often  creates  redundant  output  variables,  in  the  sense  that  some 
of  these  variables  are  equal  to  each  other.  This  happens  because  input  variables  that  get  connected  become 
output  variables.  To  remove  redundant  output  variables,  we  propose  a  hiding  operator.  Hiding  may  also 
be  used  to  remove  other  output  variables  that  may  not  be  redundant,  provided  they  do  not  influence  the 
evolution  of  contracts,  as  we  shall  see  below. 

For  a  stateless  interface  I  =  {X,  ¥,()),  the  (stateless)  interface  resulting  from  hiding  an  output  variable 
y  GY  can  simply  be  defined  as: 

hide(y,J)  :=  (A,  F  \  {y},  :  </.) 

This  definition  does  not  directly  extend  to  the  general  case  of  stateful  interfaces,  however.  The  reason  is 
that  the  contract  of  a  stateful  interface  I  may  depend  on  the  history  of  y.  Then,  hiding  y  is  problematic 
because  it  is  unclear  how  the  contracts  of  different  histories  should  be  combined.  To  avoid  this  problem,  we 
allow  hiding  only  those  outputs  which  do  not  influence  the  evolution  of  the  contract. 

Given  s,  s'  G  A{X  U  Y)*  such  that  |s|  =  |s'|  (i.e.,  s,  s'  have  same  length),  and  given  Z  C  A  U  F,  we  say 
that  s  and  s'  agree  on  Z,  denoted  s  =2  s',  when  for  all  i  G  {1, ...,  |s|},  and  all  z  G  Z,  Si{z)  =  s[{z).  Given 
interface  I  =  (X,Y,f),  we  say  that  /  is  independent  from  z  if  for  every  s,  s'  G  /,  s  =(xuv)\{z}  s'  implies 
/(s)  =  /(s').  That  is,  the  evolution  of  z  does  not  affect  the  evolution  of  /. 

Notice  that  /  being  independent  from  z  does  not  imply  that  /  cannot  refer  to  variables  in  z.  Indeed, 
all  stateless  interfaces  trivially  satisfy  the  independence  condition:  their  contracts  are  invariant  in  time,  i.e., 
they  do  not  depend  on  the  evolution  of  variables.  Glearly,  the  contract  of  a  stateless  interface  can  refer  to 
any  of  its  variables.  Gonversely,  /  not  referring  to  z  does  not  imply  that  /  is  independent  from  z.  Gonsider, 
for  example,  f{e)  =  true,  while  f{z  =  0)  ^  f{z  =  1),  where  f{z  =  0)  denotes  a  state  where  z  =  0,  and 
similarly  for  /(z  =  1). 
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The  above  notion  of  independence  is  weaker  than  redundancy  in  variables,  as  we  show  next.  First,  we 
formalize  redundancy  in  variables.  Given  z  £  Xuy,  we  say  that  z  is  redundant  in  f  if  there  exists  z'  G  XUY 
such  that  z'  ^  z,  and  for  all  s  G  /,  for  all  i  G  {1, ...,  |s|},  Si(z)  =  Si(z').  It  should  be  clear  that  all  outputs  in 
lnVars(0)  in  an  interface  obtained  by  connection  0  are  redundant  (see  Definition  9).  Similarly,  in  an  interface 
obtained  by  feedback  k  =  {y,x),  newly  introduced  output  variable  x  is  redundant  (see  Definition  12). 

Lemma  4  If  z  is  redundant  in  f  then  /  is  independent  from  z. 

Proof:  Since  z  is  redundant  in  /  there  exists  z'  ^  z  such  that  Vs  G  /  :  Vi  G  {1, ...,  |s|}  :  Si{z)  =  Si(z').  Let 
s,  s'  G  /  such  that  s  =(xuv)\{2:}  s' .  This  means  that  for  any  v  G  XLiY  ifv  ^  z  then  Vi  G  {1, ...,  |s|}  :  Si{v)  = 
s'(n).  But  z'  is  such  a  v,  therefore,  Vi  G  {1, ...,  |s|}  :  Si(z')  =  s'(z').  Since  Sj(z')  =  Si(z)  and  s'(z')  =  s'(z) 
for  all  i,  we  get  that  Vi  G  {1, ...,  |s|}  :  Si(z)  =  s'(z).  Therefore,  s  =  s',  which  trivially  implies  /(s)  =  /(s').  ■ 

When  /  is  independent  from  z,  /  can  be  viewed  as  a  function  from  Vl((XUT)  \{z})*  to  T{XUY)  instead 
of  a  function  from  A{X  U  F)*  to  iF{X  U  Y).  We  use  this  when  we  write  /(s)  for  s  G  A{{X  U  F)  \  {z})*  in 
the  definition  the  follows: 

Definition  13  (Hiding)  Let  I  =  {X,  F,  /)  be  an  interfaee  and  let  y  £  Y ,  sueh  that  f  is  independent  from 
y.  Then  hide(j/, /)  is  defined  to  be  the  interface 

hide(y,/):=(X,F\M,/')  (13) 

such  that  for  any  s  G  A{X  U  F  \  {?/})*,  /'(s)  :=  3y  :  /(s). 

For  finite-state  interfaces,  hiding  is  computable.  Let  M  =  {X,Y,  L,£o,C,T)  be  a  finite-state  automaton 
representing  I.  We  first  need  to  ensure  that  the  contract  of  I  is  independent  from  y.  A  simple  way  to  do 
this  is  to  check  that  no  guard  of  M  refers  to  y.  This  condition  is  sufficient,  but  not  necessary.  Consider, 
for  example,  two  complementary  guards  y  <  1  and  y  >  1  whose  transitions  lead  to  locations  with  identical 
contracts.  Then  the  two  locations  may  be  merged  to  a  single  one,  and  the  two  transitions  to  a  single  transition 
with  guard  true.  Another  situation  where  the  above  condition  may  be  too  strict  is  when  a  guard  refers  to  y 
but  y  is  redundant.  In  that  case,  all  occurrences  of  y  in  guards  of  M  can  be  replaced  by  its  equal  variable 
y' .  Once  independence  from  y  is  ensured,  hide(?/, /)  can  be  represented  as  M'  :=  {X,Y  \  {y},L,£o,C ,T), 
where  C"(£)  :=  3y  :  C{e),  for  all  £  £  L. 

7  Environments,  pluggability  and  substitutability 

We  wish  to  formalize  the  notion  of  interface  contexts  and  substitutability,  and  we  introduce  environments 
for  that  purpose.  Environments  are  interfaces.  An  interface  I  can  be  connected  to  an  environment  E  to 
form  a  closed-loop  system,  as  illustrated  in  Figure  6.  E  acts  both  as  a  controller  and  an  observer  for  I.  It 
is  a  controller  in  the  sense  that  it  “steers”  I  by  providing  inputs  to  it,  depending  on  the  outputs  it  receives. 
At  the  same  time,  E  acts  as  an  observer,  that  monitors  the  inputs  consumed  and  outputs  produced  by  I, 
and  checks  whether  a  given  property  is  satisfied.  These  notions  are  formalized  in  Definition  14  that  follows. 
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Figure  6:  Illustration  of  pluggability. 


Before  giving  the  definition,  however,  a  remark  is  in  order.  Interfaces  and  environments  are  to  be 
connected  in  a  closed-loop,  as  illustrated  in  Figure  6.  In  order  to  do  this  in  our  setting,  every  dependency 
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cycle  must  be  “broken”  by  a  Moore  connection,  as  prescribed  by  the  transformation  of  interface  diagrams 
to  composition  expressions,  given  in  Section  5.2.  It  can  be  seen  that,  in  the  case  of  two  interfaces  connected 
in  closed-loop,  the  above  requirement  implies  that  one  of  the  two  interfaces  is  Moore.  For  instance,  consider 
Figure  6.  If  /  is  not  Moore  w.r.t.  X2,  then  E  must  be  Moore  w.r.t.  to  both  yi  and  j/2,  so  that  both  feedback 
connections  can  be  formed.  Similarly,  if  E  is  not  Moore  w.r.t.  2/2,  say,  then  /  must  be  Moore  w.r.t.  both 
xitX2-  This  remark  justifies  the  definition  below: 

Definition  14  (Environments  and  pluggability)  Consider  interfaces  I  =  (X,  Y,  /)  and  E  =  {Y ,  X,  /e). 
E  is  said  to  be  an  environment  for  /  if  there  exist  bijections  between  X  and  X,  and  between  Y  and  Y .  X  are 
called  the  mirror  variables  of  X,  and  similarly  for  Y  and  Y.  For  x  €  X ,  we  denote  by  x  the  corresponding 
(by  the  bijection)  variable  in  X ,  and  similarly  with  y  and  y.  I  is  said  to  be  pluggable  to  E,  denoted  I  ^  E, 
iff  the  following  conditions  hold: 

•  I  is  Moore  or  E  is  Moore. 

•  If  E  is  Moore  then  the  interface  K{6{E,I))  is  well-formed,  where  6  :=  {{x,x)  \  x  £  X}  and  K  := 
{{Viil)  I  y  S  ^}-  Notice  that,  because  E  is  Moore  and  lnVars(0)  =  X,  part  2  of  Theorem  6  applies,  and 
guarantees  that  9{E,I)  is  Moore.  Therefore,  K{9{E,I))  is  well-defined. 

•  If  I  is  Moore  then  the  interface  K{9{I,E))  is  well-formed,  where  9  :=  {(y,fj)  \  y  £  Y}  and  K  := 
{(x,  x)  \  X  &  X}. 

Note  that,  by  definition,  I  is  pluggable  to  if  iff  E  is  pluggable  to  I. 


y>0 


y>0 


a;  >  0  false 

7:  Three  environments. 
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Example  9  Consider  interfaces  Ii  and  I2  from  Example  1  and  environments  Ei,  E2,  E3  of  Figure  7  (im¬ 
plicitly,  transitions  without  guards  are  assumed  to  have  guard  truej.  It  can  be  checked  that  both  Ii  and  I2 
are  pluggable  to  E^.  Ii  is  not  pluggable  to  neither  E2  nor  E^:  indeed,  the  output  guarantee  a:  >  0  of  these 
two  environments  is  not  strong  enough  to  meet  the  input  assumption  x  >  0  of  Ii.  I2  is  not  pluggable  to 
E2:  although  the  input  assumption  of  I2  is  true,  I2  guarantees  y  >  0  only  when  x  >  0.  Therefore  the  guard 
y  ^  0  of  E2  is  enabled  in  some  cases,  leading  to  location  with  contract  false,  which  means  that  the  closed-loop 
interface  is  not  well-formed.  On  the  other  hand,  I2  is  pluggable  to  E^. 

Theorem  8  (Pluggability  and  well-formability) 

•  If  an  interface  I  is  well-formable  then  there  exists  an  environment  E  for  I  such  that  I  ^  E. 

•  If  there  exists  an  environment  E  for  interface  I  such  that  I  ^  E  and  I  is  not  Moore  then  I  is 
well-formable. 

Proof: 

•  Let  I  =  {X,Y,f)  be  a  well-formable  interface.  Then  there  exists  I'  =  {X,Y,f')  such  that  I'  is  well- 
formed,  and  for  all  s  £  /',  f'{s)  =  f{s)A(j)s,  where  (ps  is  some  property  over  X.  Slightly  abusing 
notation,  we  define  environment  E  with  contract  function  /e(s)  :=  in(/'(s))  =  in(/(s))  A  (ps,  for  any 
state  s.  In  this  definition  we  implicitly  use  the  mapping  between  variables  of  /  and  mirror  variables 
of  E.  We  claim  that  I  ^  E.  Indeed,  E  is  Moore  and  well-formed,  therefore,  by  Theorem  19,  it  is 
input-complete.  Also,  fe{s)  — *■  in(/(s)),  therefore,  any  output  of  if  is  a  legal  input  for  I.  Finally,  the 
behavior  of  the  closed-loop  system  of  E  and  I  is  equivalent  to  therefore,  it  is  we  11- formed. 
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•  Conversely,  suppose  there  exists  environment  E  such  that  I  ^  E.  We  prove  that  I  is  well-formable. 
Let  /e  be  the  contract  function  of  E.  Since  I  is  not  Moore,  E  must  be  Moore.  Therefore,  /e(s)  is 
a  essentially  a  property  over  X  for  any  s.  We  define  I'  =  {X,Y,f')  such  that  f'{s)  :=  f{s)  A  /e(s). 
I'  must  be  well-formed,  because  the  closed-loop  composition  of  I  and  E  is  well-formed.  Thus,  I'  is  a 
witness  for  /,  which  is  well-formable. 


Example  10  Consider  interfaces  I  and  E  shown  in  Figure  8.  Observe  that  I  is  Moore  and  I  ^  E.  However, 
I  is  not  well-formable. 


A' 

x  =  y 

Figure  8:  A  Moore  interface  /  and  a  non-Moore  environment  E. 

Example  10  shows  that  the  non-Mooreness  assumption  on  I  is  indeed  necessary  in  part  2  of  Theorem  8. 
This  example  also  illustrates  an  aspect  of  our  definition  of  well-formability,  which  may  appear  inappropriate 
for  Moore  interfaces:  indeed,  interface  I  of  Figure  8  is  non- well-formable,  yet  there  is  clearly  an  environment 
that  can  be  plugged  to  /  so  that  false  location  is  avoided.  An  alternative  definition  of  well-formability  for 
an  interface  /  would  have  been  existence  of  an  environment  that  can  be  plugged  to  I.  This  would  make 
Theorem  8  a  tautology.  Nevertheless,  we  opt  for  Definition  8,  which  allows  to  transform  interfaces  into  a 
“canonical  form”  where  all  contracts  are  satisfiable. 

Definition  15  (Substitutability)  We  say  that  interface  I'  may  replace  interface  I  (or  I'  may  be  substi¬ 
tuted  for  I),  denoted  I  — >e  I',  iff  for  any  environment  E,  if  I  is  pluggable  to  E  then  F  is  pluggable  to  E. 
We  write  I  =e  I'  iff  both  I  —fg  I'  and  I'  I  hold. 

Theorem  9  Let  1,1'  be  well-formed  interfaces.  Then  1=^1'  iff  I  =  I' . 

Proof:  By  Theorem  15  of  Section  8,  I  =e  I'  implies  I'  C  I  and  I  C  I' .  The  result  follows  by  antisymmetry 
of  refinement  (Theorem  10).  ■ 


true  false 


8  Refinement 

Definition  16  (Refinement)  Consider  two  interfaces  I  =  {X,Y,f)  and  I'  =  {X'  ,Y' ,  f) .  We  say  that  I' 
refines  I,  written  I'  C  I,  iff  X'  =  X ,  Y'  =  Y ,  and  for  any  s  G  f  f]  f ,  the  following  formula  is  valid: 

in(/(s))  ^  (in(/'(s))  A  (/'(s)  ^  /(s)))  (14) 

Condition  14  can  be  rewritten  equivalently  as  the  conjunction  of  the  following  two  conditions: 

in(/(s))  ->  in(/'(s))  (15) 

(in(/(s))  A/'(s))  ^ /(s)  (16) 

Condition  15  states  that  every  input  assignment  that  is  legal  in  /  is  also  legal  in  This  guarantees  that, 
for  any  possible  input  assignment  that  can  be  provided  to  /  by  a  context  C,  if  this  assignment  is  accepted 
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by  I  then  it  is  also  accepted  by  Condition  16  states  that,  for  every  input  assignment  that  is  legal  in  J,  all 
output  assignments  that  can  be  possibly  produced  by  /'  from  that  input,  can  also  be  produced  by  I.  This 
guarantees  that  if  C  accepts  the  assignments  produced  by  /  then  it  also  accepts  those  produced  by  I'. 

The  reader  may  wonder  why  Condition  (16)  could  not  be  replaced  with  the  simpler  condition: 

/'(s')  -  f{s)  (17) 

Indeed,  as  will  be  shown  in  Section  10,  for  input-complete  interfaces,  Condition  (14)  reduces  to  Condition  (17) 
-  see  Theorem  25.  In  general,  however,  the  two  definitions  are  different  in  a  profound  way,  as  Example  15, 
at  the  end  of  this  section,  demonstrates. 

A  remark  is  in  order  regarding  the  constraint  X'  =  X  and  Y'  =  Y  imposed  during  refinement.  This 
constraint  may  appear  as  too  strict,  but  we  argue  that  it  is  not.  To  begin,  recall  that  I'  'Q  I  should  imply 
that  I'  can  replace  /  in  any  context.  In  our  setting,  contexts  are  formalized  as  environments.  Consider  such 
an  environment  with  controller  C.  C  provides  values  to  the  input  variables  of  /,  and  requires  values  from 
the  output  variables  of  I.  Suppose  I'  has  an  input  variable  x  that  I  does  not  have,  that  is,  there  exists 
X  G  X'  \  X .  In  general,  C  may  not  provide  x.  In  that  case,  I'  cannot  replace  /,  because  by  doing  so,  input 
X  would  remain  free.  Therefore,  X'  Q  X  must  hold.  Similarly,  suppose  that  there  exists  y  G  Y  \  Y' .  In 
general,  C  may  require  y,  that  is,  y  may  be  a  free  input  for  C.  In  that  case,  I'  cannot  replace  I,  because  by 
doing  so,  y  would  remain  free.  Therefore,  Y  GY'  must  hold. 

Now,  suppose  that  X'  is  a  strict  subset  of  X  or  Y'  is  a  strict  superset  of  Y  (or  both).  Then,  we  can 
easily  modify  I  and  I'  as  follows:  we  add  to  X'  all  the  input  variables  missing  from  I',  so  that  X'  =  X,  and 
we  add  to  Y  all  the  output  variables  missing  from  /,  so  that  Y  =  Y' .  While  doing  so,  we  do  not  change 
the  contracts  of  either  I  or  I':  the  contracts  simply  ignore  the  additional  variables,  that  is,  do  not  impose 
any  constraints  on  their  values.  It  can  be  seen  that  this  transformation  preserves  the  validity  of  refinement 
Condition  14.  Indeed,  in((())  ^  (in(<(>')  A  {(j)'  (j)))  holds  when  (p  is  over  XUY  and  p'  is  over  X'  U  Y'  iff  it 

holds  when  both  p  and  p'  are  taken  to  be  over  X  U  Y' ,  provided  X'  G  X  and  Y'  D  Y.  Therefore,  without 
loss  of  generality,  we  require  X  =  X'  and  Y  =  Y' . 

Example  11  (Buffer  that  may  fail)  This  example  builds  on  Example  2.  Figure  9  depicts  the  interface 
of  a  single-place  buffer  that  may  fail  to  complete  a  read  or  write  operation.  This  interface  has  one  more 
boolean  output  variable,  namely,  ack,  in  addition  to  those  of  Example  2,  and  two  more  locations,  after_read 
and  after_write.  Its  global  contract  is  identical  to  that  of  Example  2.  So  are  local  contracts  at  locations 
and  After  a  write  operation,  the  interface  moves  to  location  after_write,  where  it  non- deterministically 
chooses  to  set  ack  to  true  or  false;  setting  it  to  true  means  the  write  was  successful,  false  means  the  write 
failed.  The  meaning  is  symmetric  for  read.  This  particular  interface  does  not  allow  read  or  write  operations 
in  the  two  intermediate  locations. 


Additional  contract  at  a'fter_read:  (ack  =>  empty)  and  ((not  ack)  =>  full)  and  (not  (read  or  write)) 


Global  contract;  not  (empty  and  full)  and  not  (write  and  read)  and  (full  =>  not  write)  and  (empty  =>  not  read) 


Figure  9:  Interface  for  a  buffer  of  size  1  that  may  fail  to  do  a  read  or  write. 
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It  is  natural  to  expect  that  a  buffer  that  never  fails  can  replace  a  buffer  that  may  fail.  We  would  like  to 
have  a  formal  guarantee  of  this,  in  terms  of  refinement  of  their  corresponding  interfaces.  That  is,  we  would 
like  the  interface  of  Figure  1  to  refine  the  one  of  Figure  9.  This  does  not  immediately  hold,  since  ack  is  not 
a  variable  of  the  former.  We  can  easily  add  it  however,  obtaining  the  interface  shown  in  Figure  10.  This 
buffer  never  fails,  therefore,  ack  is  always  true.  With  this  modification,  the  interface  of  Figure  10  refines  the 
one  of  Figure  9.  On  the  other  hand,  the  converse  is  not  true:  the  interface  of  Figure  9  does  not  refine  the 
one  of  Figure  10,  because  in  the  latter  output  ack  is  always  true,  whereas  in  the  former  in  can  also  be  false. 

For  finite-state  interfaces,  refinement  can  be  checked  as  follows.  Let  Mi  =  {X ,Y,  Li,  £o^i,  Ci,Ti)  be  finite- 
state  automata  representing  ff,  for  i  =  1,2,  respectively.  We  first  build  a  synchronous  product  M  := 
{X,Y,Li  X  L2  U  {£good,£bad},i£o,iffo,2),C,T),  where  C'(€i,.f2)  :=  in(Ci(^i))  for  all  (^i,f2)  €  Li  x  L2, 
C{£good)  ■=  true,  C{£bad)  ■=  false,  and: 


T  :=  {{{£^,  £2),  gtoth  F  91  F  92  ff£’i,  £'2))  ion  =1,2} 

k*  9  bad,  £bad')  ,  ((f^l  i  ^2  )  ,  9  good ,  £goo(i}  ,  {,£good,  trUe,  £good)  }  (f 

9both  ■=  C'i(^i)  A  (72(^2)  (19) 

9good  '■=  in(Ci(^i))  A  in(C'2(^2))  A  ^C'2(f'2)  (20) 

9bad  ■■=  in(Ci(4))A  (-in(C2(f2))VC2(f2)A-Ci(4))  (21) 


Notice  that  guard  9bad  encodes  the  negation  of  the  refinement  Condition  (14).  Also  note  that  9both,9good,  9bad 
are  pairwise  disjoint,  and  such  that  gtoth  V  9good  V  gbad  =  in(C'i(fi)),  for  all  {£i,£2)  G  Li  x  L2.  This  ensures 
determinism  of  M.  It  can  be  checked  that  I2  E  Ii  iff  location  £bad  is  unreachable. 


not  (empty  and  full)  and  not  (write  and  read) 
Global  contract:  and 

(full  =>  not  write)  and  (empty  =>  not  read) 
and  ack 


Additional  contract  at  qO: 
empty 


Additional  contract  at  q1 : 
full 


empty 

full 

ack 


Figure  10:  Buffer  interface  of  Figure  1  with  additional  output  variable  ack. 


We  proceed  to  state  the  main  properties  of  refinement.  First,  observe  that,  perhaps  surprisingly,  interfaces 
with  false  contracts  (i.e.,  /  =  {e})  are  “top”  elements  with  respect  to  the  E  order,  that  is,  they  are  refined  by 
any  interface  that  has  the  same  input  and  output  variables.  This  is  in  accordance  with  Theorem  15  below. 
The  false  interface  is  not  pluggable  to  any  environment. 

Lemma  5  Let  I  =  {X,Y,f),  I'  =  {X,Y,f'),  I”  =  {X,Y,f'')  be  interfaces  such  that  /"  E  I'  and  I'  E  1- 
Then  /  n  /"  C  /'. 

Proof:  By  induction  on  the  length  of  states.  Basis:  e  G  /'.  Induction  step:  suppose  s  ■  a  G  /  H  /".  Then 
s  G  /  n  /".  From  the  induction  hypothesis,  s  G  f .  s  •  a  G  /  (A  /"  implies  a  \=  f{s)  A  /"(s).  a  \=  f{s)  implies 
a  \=  in(/(s)).  The  latter  and  I'  Y  I  imply  a  \=  in(/'(s)).  The  latter,  together  with  I"  E  I'  and  a  \=  f"{s), 
imply  a  ^  f'{s).  This  and  s  G  f  imply  s  ■  a  G  f .  ■ 
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Theorem  10  (Partial  order)  'Q  is  a  partial  order,  that  is,  a  reflexive,  antisymmetric  and  transitive  rela¬ 
tion. 

Proof:  C  is  reflexive  because  Condition  14  clearly  holds  when  /  =  /'.  To  show  that  C  is  transitive,  let 
I  =  (X,  r,  /),  r  =  {X',  Y',  f),  I"  =  {X",  Y",  /"),  and  suppose  I"  C  I'  and  I'  C  I.  We  must  prove  I"  C  I. 
Suppose  s  G  f  n  f".  By  Lemma  5,  s  €  /  fl  /'  and  s  G  ^  f  ■  These  facts  together  with  I”  C  /'  and  I'  Q  I 
imply  in(/(s))  ^  in(/'(s)),  in(/(s))  A  /'(s)  ^  /(s),  in(/'(s))  ^  in(/"(s)),  and  in(/'(s))  A  /"(s)  ^  /'(s). 
These  imply  in(/(s))  ^  in(/"(s))  and  in(/(s))  A  /"(s)  ^  /(s).  To  show  that  □  is  antisymmetric  suppose 
/'  C  /  and  I  C  We  must  prove  1  =  1'.  By  Lemma  5  and  setting  I"  :=  I  we  get  f  C  f .  By  the  same 
lemma  and  reversing  the  roles  of  I  and  I'  we  get  f  Q  f.  ■ 


Theorem  11  (Refinement  preserves  well-formedness  for  stateless  interfaces)  Let  1,1'  be  stateless 
interfaces  such  that  I'  Q  I .  If  I  is  well-formed  then  I'  is  well-formed. 

Proof:  Let  /  =  {X,Y,(j))  and  I'  =  {X' ,Y' I  is  well-formed,  thus  (p  is  satisflable.  Let  a  be  an  as¬ 
signment  satisfying  (p  and  let  ax  and  ay  be  the  restrictions  of  a  to  X  and  Y,  respectively.  By  definition 
of  in((()),  ax  H  By  Condition  (15),  ax  H  '^'^{4’’)  =  3T'  :  cp'.  Therefore,  there  exists  ayi  such  that 

(ax,  ay/)  H  4^’ ■  Thus,  p'  is  satisflable.  Thus,  I'  is  well-formed.  ■ 

Theorem  11  does  not  generally  hold  for  stateful  interfaces:  the  reason  is  that,  because  /'  may  accept 
more  inputs  than  J,  there  may  be  states  that  are  reachable  in  I'  but  not  in  /,  and  the  contract  of  I'  in  these 
states  may  be  unsatisfiable.  When  this  situation  does  not  occur,  refinement  preserves  well-formedness  also 
in  the  stateful  case.  Moreover,  refinement  always  preserves  well-formability: 

Theorem  12  (Refinement  and  well-formedness/-formability)  Let  1,1'  be  interfaces  such  that  I'  Q  I. 

1.  If  I  is  well-formed  and  f  C  f  then  I'  is  well-formed. 

2.  If  I,  I'  are  sources  and  I  is  well-formed,  then  I'  is  also  well-formed. 

3.  If  I  is  well-formable  then  I'  is  well-formable. 

Proof:  Let  I  =  (X,  Y,  f)  and  /'  =  (X',  Y' ,  f). 

1.  Suppose  /  is  well-formed  and  f  C  /.  We  need  to  show  that  for  any  s  G  /',  f'{s)  is  non-empty.  By 
hypothesis,  s  G  f  and  I  is  well-formed,  therefore,  /(s)  is  non-empty.  Reasoning  as  in  the  proof  of 
Theorem  11,  we  can  show  that  f'{s)  is  also  non-empty. 

2.  This  is  a  special  case  of  part  1  of  the  theorem:  I  is  source  and  well- formed,  therefore,  it  is  input- complete 
as  will  be  shown  in  Theorem  19.  For  input-complete  interfaces,  I'  Q  I  implies  f  f  (Theorem  25), 
therefore,  part  1  applies. 

3.  Suppose  I  is  well-formable.  Then  there  exists  Ii  =  {X,Y,fi)  such  that  Ii  is  well-formed,  and  for 
all  s  G  /i,  /i(s)  =  f{s)Aps,  for  some  property  ps  over  X.  Since  fi  strengthens  /,  fi  C  /.  Since 
/(s)  A  ps  =  f{s)  A  in(/(s))  A  ps,  we  can  assume  without  loss  of  generality  that  ps  in(/(s)).  We 
define  I2  :=  (X,  Y,  /s)  such  that  /2(s)  :=  f'{s)  A  ps,  if  s  G  /i,  and  /2(s)  :=  f'{s),  if  s  ^  /i. 

Claim  1:  /2  C  fi.  By  induction  on  the  length  of  a  state  s.  The  result  holds  for  s  =  e.  Suppose 
s  •  a  G  /2.  Then  s  G  /2  and  from  the  induction  hypothesis,  s  G  f\.  Also,  a  ^  f2{s)  =  f'{s)  A  ps 

(because  s  G  /i).  Since  ps  — >  in(/(s)),  a  ^  in(/(s))  A  f'{s).  This  and  I'  ^  I  imply  a  ^  /(s),  thus, 

a  1=  /(s)  Aps  =  /i(s).  Thus,  s  •  a  G  /i- 
Claim  2:  f^Q  f  ■  Because  f^  is  a  strengthening  of  /'. 

Claim  3:  I2  E  I\-  Suppose  s  G  /i  D  /2.  By  Claim  2  and  the  fact  /i  C  /,  we  have  s  G  /  C  /'. 

Then:  in(/i(s))  =  in(/(s))  A  ps-  Since  I'  Q  I  and  s  G  f  f,  in(/(s))  ^  in(/'(s)).  Therefore 
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Figure  11:  Setting  used  in  Theorem  13. 


in(/(s))  A  (j)s  ^  in(/'(s))  A  The  latter  formula  is  equivalent  to  in(/2(s))  because  s  G  f\.  Also, 
in(/i(s))  A  /2(s)  =  in(/(s))  A  /'(s)  A  ^  /(s)  A  c/ig  =  /i(s).  This  completes  Claim  3. 

Claim  4:  for  all  s  G  /2,  f2{s)  =  f'{s)  A  (j)s.  Follows  by  definition  of  /2  and  Claim  1. 

Claim  1  and  Claim  3,  together  with  the  fact  that  Ii  is  well-formed,  and  by  the  part  1  of  this  theorem, 
imply  that  I2  is  well-formed.  Claim  4  implies  that  I2  is  a  witness  for  thus,  I'  is  well-formable. 


Lemma  6  Consider  two  disjoint  interfaces  Ii  and  I2,  and  a  connection  6  between  Ii,l2-  Let  fi  and  f2  be 
the  projections  of  I2))  to  states  over  the  variables  of  h  and  I2,  respectively.  Then  fi  C  /(/i)  and 

/2C/(/2). 

Proof:  Let  /  :=  f{9{Ii,l2)).  Proof  is  by  induction  on  the  length  of  states.  Basis:  the  result  holds  for  e. 
Induction  step:  Let  si-  ai  G  fi-  This  means  that  there  exists  state  s  ■  a  G  f  such  that  si  •  oi  is  the  projection 
of  s  •  a  to  the  variables  of  Ii.  From  s  •  a  G  /,  we  get  a  ^  /(s)  i.e.  a  ^  /i(si)  A  f2{s2)  A  ■  ■  ■ .  Therefore, 
a  ^  /i(si),  which  means  oi  |=  /i(si).  By  the  induction  hypothesis,  si  G  f{Ii).  These  two  facts  imply 
Si  •  a  G  /(/i).  This  proves  fi  C  /(/i).  The  proof  of  /2  C  /(J2)  is  similar.  ■ 

Theorems  13  and  14  state  a  major  property  of  our  theory,  namely,  that  refinement  is  preserved  by 
composition. 

Theorem  13  (Connection  preserves  refinement)  Consider  two  disjoint  interfaces  Ii  and  I2,  and  a 
connection  0  between  Ii,l2.  Let  be  interfaces  such  that  I[  C  Ii  and  C  I2.  Then,  9{I[,l2)  C  0(/i,  J2). 

Proof:  Let  Ii  =  {X,  Y  \JV,  fi)  and  /2  =  (^  U  W,  U,  /2),  so  that  YnV  =  ZnW  =  il},Y—  0utVars(6>)  and 
Z  =  lnVars(0).  In  other  words,  Y  represents  the  set  of  output  variables  of  Ii  that  are  connected  to  input 
variables  of  /2.  V  is  the  set  of  the  rest  of  the  output  variables  of  Ii.  Z  represents  those  input  variables  of 
I2  that  are  connected  to  outputs  of  Ii  and  W  those  that  are  not  connected.  Any  of  the  sets  X,  Y,  V,  Z,  W,  U 
may  be  empty.  Let  =  (X,Y  U  V,  f{)  and  I2  =  {Z  LI  IT,  f7, /^j.  The  composition  setting  is  illustrated  in 
Figure  11. 

Given  the  above,  and  Definition  9,  we  have,  for  s  G  A(X  LWLYLVLZL  U)*,  si  the  projection  of  s 


to  A  U  F  U  T,  and  S2  the  projection  of  s  to  W  L  Z  LU: 

9{h,l2)  :=  {XLW,YLVLZLU,f)  (22) 

/(s)  :=  /i(si)  A/2(s2)ApeA4'  (23) 

4-  :=  VyuTUZU[/:(/i(si)Ape)^in(/2(s2))  (24) 

6l(/(,/')  :=  {XLW,YLVLZLU,f')  (25) 

f\s)  :=  /{(si)A/'(s2)ApsAvI/'  (26) 

4-'  :=  VFUTUZU[/:(/((si)Ape)->in(/^(s2))  (27) 


Let  s  G  f  L  f .  To  prove  9{I[,l2)  E  9{Ii,l2)  we  need  to  prove  that:  (A)  in(/(s))  — >  in(/'(s))  is  valid;  and 
(B)  (in(/(s))  A  /'(s))  ^  /(s)  is  valid.  Note  that,  by  Lemma  6,  si  G  /i  C  /(  and  S2  G  /2  C  f^-  We  use  these 
two  facts  without  mention  in  the  rest  of  the  proof.  We  proceed  in  proving  claims  (A)  and  (B). 
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(A) :  in(/(s))  ^  in(/'(s))  is  valid:  Suppose  the  result  does  not  hold.  This  means  that  in(/(s))  A ^in(/'(s)) 
is  satisfiable,  i.e., 

^/>i  :=  (3r  U  F  U  Z  U  t/  :  /i(si)  A  ^(sa)  A  pe  A  A  (VF  U  F  U  Z  U  C7  :  -/{(si)  V  -/'(sa)  V  ^pg  V 

is  satisfiable.  Note  that  il^i,  'I'  and  are  all  formulae  over  X  U  W,  therefore,  ipi  is  equivalent  to: 

:=  «'  A  (3r  U  y  U  Z  U  C/  :  /i(si)  A  /2(s2)  A  pg)  A  V  (VF  U  F  U  Z  U  C/  :  -/{(si)  V  -/2(s2)  V  ^pe)) 

Let  a  be  an  assignment  over  X  UW  satisfying  'ip2-  We  claim  that  a  ^  Suppose  not,  i.e.,  a  \=  'LL 
Then,  from  a  |=  V'2,  we  derive  a  \=  VF  U  F  U  Z  U  C/  :  ^/{(si)  V  ^/2(s2)  V  ^pg.  Also,  a  \=  in(/i(si)).  Since 
I[  E  di,  a  ^  in(/((si)).  This  means  that  there  exists  an  assignment  c  over  FU  F  such  that  (a, c)  \=  /[{si). 

Let  d  be  an  assignment  over  Z  such  that  (c,  d)  |=  pg:  that  is,  we  set  an  input  variable  z  of  I2  to  the  value 

c{y)  of  the  output  variable  y  of  Ii  that  z  is  connected  to.  Combining,  we  have  {a,c,d)  |=  /((si)  A  pg. 
This  and  a  ^  'L'  imply  that  {a,c,d)  ^  in(/2(s2))-  Therefore,  there  exists  an  assignment  e  over  U  such 
that  {a,c,d,e)  ^  f2i^2)-  Combining,  we  have  {a,c,d,e)  ^  /{(si)  A  /2(s2)  A  pg,  which  contradicts  a  |= 
VF  U  F  U  Z  U  t7  :  ^/{(si)  V  ^/2(s2)  V  ^pg.  Thus,  the  claim  a  |=  is  proven  and  we  have  that  a  satisfies: 

V'a  :=  «'  A  A  (3F  U  F  U  Z  U  C/  :  /i(si)  A  /2(s2)  A  pg) 

Since  a  does  not  satisfy  there  exists  an  assignment  h  over  F  U  F  U  Z  U  C/,  such  that  (o,  b)  |=  /{ (si)  A 
pe  A  ^in(/;^(s2)).  Since  E  h,  in(/2(s2))  ^  in(/2(s2)),  or  Xtn{f^{s2))  ^  ^in(/2(s2)).  Therefore,  (a,  6)  |= 
^in(/2(s2)).  Now,  from  a  ^  tps,  we  get  (a,  6)  \=  in(/i(si)).  From  I[  C  Ii  we  have  in(/i(si))  A  f){si) 
/i(si).  Therefore,  (a, 6)  \=  /i(si).  This,  together  with  a  |=  'L  and  (a, 6)  \=  pg,  imply  {a,h)  \=  in(/2(s2)). 
Contradiction.  This  completes  the  proof  of  Part  (A). 

(B) :  (in(/(s))  A  f'{s))  — >  /(s)  is  valid:  Suppose  the  result  does  not  hold.  This  means  that  in(/(s))  A 
f'(s)  A  ^/(s)  is  satisfiable,  i.e., 

:=  (3F  UVUZUU  :  /i(si)  A  /2(s2)  A  pg  A '!')  A  (/{ (si)  A  /2(s2)  Ape  A'L')  A  (^/i(si)  V  ^/2(s2)  V  ^pe 
is  satisfiable.  Because  'L  and  'L'  are  formulae  over  X  U  W,  ipi  simplifies  to: 

•05  :=  A  A  (3F  U  F  U  Z  U  t/  :  /i(si)  A  /2(s2)  A  pe)  A  (/{(si)  A  /2(s2)  A  pg)  A  (^/i(si)  V  ^/2(s2)) 

Let  a  be  an  assignment  over  A U IF  such  that  a  ^05.  Then  a  [=  in(/i(si))Ain(/2(s2))A/{(si)  A/2(s2).  From 
the  hypotheses  I[  C  Ii  and  E  h,  we  get  in(/i(si))  A  /((si)  ^  /i(si)  and  in(/2(si))  A  /2(s2)  ^  /2(s2). 
Therefore  a  ^  /i(si)  A  /2(s2)j  which  contradicts  a  |=  05.  This  completes  the  proof  of  Part  (B)  and  of  the 
theorem.  ■ 


Theorem  14  (Feedback  preserves  refinement)  Let  I,  I'  he  interfaees  sueh  that  I'  Cl  I .  Suppose  both 
I  and  I'  are  Moore  interfaces  with  respect  to  one  of  their  input  variables,  x.  Let  k  =  {y,x)  he  a  feedback 
connection.  Then  k{L')  C  k{I). 

Proof:  Let  /  =  (A,  F, /).  Because  /'  E  d,  /'  =  (A,  F, /')  for  some  /'.  Then:  k{I)  =  (A  \  {x},Y  U  {x},/^) 
and  k(/')  =  (A  \  {x},F  U  {x},/(,),  where  /«,(s)  :=  /(s)  A  x  =  ?/  and  /(.(s)  :=  /'(s)  A  x  =  y,  for  all 
s  G  A(X  U  F)*.  To  show  that  k{L')  C  k{I),  we  need  to  prove  that  for  any  s  G  /«  fl  /,^,  the  following  formulae 
are  valid: 


in(/«(s))  ^  in(/'(s)) 

(in(/«(s))  A/'(s))  ^/k(s) 

By  part  1  of  Lemma  3,  s  G  /k  C  /(.  implies  s  G  /  fl  /'.  By  part  2  of  Lemma  3,  in(/„(s))  =  in(/(s))  and 
in(./'(s))  =  in(/,;(s)).  This  and  in(/(s))  in(/'(s))  imply  in(/«,(s))  ^  in(/;^(s)).  Moreover: 

(in(/«(s))  A  /(,(s))  =  (in(/(s))  A  f{s)  A  x  =  y)  ^  (/(s)  A  x  =  y)  =  /«,(s) 
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Note  that  the  assumption  that  I'  be  Moore  w.r.t.  x  in  Theorem  14  is  essential.  Indeed,  Mooreness  is  not 
generally  preserved  by  refinement: 

Example  12  Consider  the  stateless  interfaces  leven  '■=  {{x},{y},y^  2  =  0),  where  denotes  the  modulo 
operator,  and  1x2  '■=  ({a^})  {2/})2/  =  2a:).  leven  is  Moore.  1x2  is  not  Moore.  Yet  1x2  E  leven- 

It  is  instructive  at  this  point  to  justify  our  restrictions  regarding  feedback  composition,  by  illustrating 
some  of  the  problems  that  would  arise  if  we  allowed  arbitrary  feedback: 

Example  13  This  example  is  borrowed  from  [19].  Suppose  /true  is  an  interface  on  input  x  and  output  y, 
with  trivial  contract  true,  making  no  assumptions  on  the  inputs  and  no  guarantees  on  the  outputs.  Suppose 
ly^x  is  another  interface  on  x  and  y,  with  contract  y  ^  x,  meaning  that  it  guarantees  that  the  value  of  the 
output  will  be  different  from  the  value  of  the  input.  As  expected,  ly^x  refines  /true"  because  ly^x  is  “more 
deterministic”  than  /true,  that  is,  the  output  guarantees  of  ly^x  o-tc  stronger.  Now,  consider  the  feedback 
connection  x  =  y.  This  could  be  considered  an  allowed  connection  for  /true,  since  it  does  not  contradict 
its  contract:  the  resulting  interface  would  be  Ix=y  with  contract  x  =  y.  But  the  same  feedback  connection 
contradicts  the  contract  of  ly^x-  the  resulting  interface  would  be  /false  with  contract  false.  Although  ly^x 
refines  /true,  .^faise  does  not  refine  Ix=y,  therefore,  allowing  arbitrary  feedback  would  violate  preservation  of 
refinement  by  feedback.  Notice  that  both  /true  cind  ly^x  o-re  input- complete,  which  means  that  this  problem  is 
present  also  in  that  special  case. 

Theorem  15  (Refinement  and  substitutability)  Let  /,  /'  be  two  interfaces. 

1-  hf  I'  Q  I  then  T  can  replace  I. 

2.  If  I'  %  I  and  I  is  well-formed,  then  I'  cannot  replace  I. 

Proof: 

1.  Suppose  I'  Y  I  and  let  E  be  an  environment  such  that  I  ^  E.  We  prove  that  /'  E.  Clearly,  E 
is  an  environment  for  /',  since  the  input  and  output  variables  of  /'  are  the  same  as  those  of  I.  We 
distinguish  cases: 

•  E  is  Moore.  Then  we  must  prove  that  K{9{E,I'))  is  well-formed,  assuming  that  K{9{E,I))  is 
well-formed.  By  Theorems  13  and  14,  K{0{E,I'))  C  K{9{E,I)).  Both  K(0{E,  I))  and  K{0{E,  I')) 
are  source  interfaces,  therefore,  by  part  2  of  Theorem  12,  K{9{E,  I'))  is  well-formed. 

•  E  is  not  Moore,  therefore  /  is  Moore.  Then  we  must  prove  that  K{0{I' ,E))  is  well-formed, 
assuming  that  K{0{I,E))  is  well-formed.  The  argument  is  similar  to  the  previous  case. 

2.  Let  I  =  {X,Y,f)  and  /'  =  {X'  ,Y' ,  f)  and  suppose  I'  if-  I.  If  X  X'  or  Y  Y'  then  we  can 
find,  by  Theorem  8,  environment  E  for  /  such  that  I  ^  E,  and  E  is  not  an  environment  for  /',  thus 
I'  E.  We  concentrate  on  the  case  X  =  X'  and  Y  =  Y' .  Then  T  f.  I  means  there  exists  s  S  /  fl  /' 
such  that  Condition  (14)  does  not  hold.  Define  environment  E  for  /  with  contract  function  /e  where 
fe{r)  :=  in(/(r))  for  all  states  r.  (Again  we  are  slightly  abusing  notation:  in(/(r))  is  a  property  over 
X,  but  fe{r)  is  a  property  over  X,  the  output  variables  of  E.)  By  definition,  E  is  Moore.  Because  / 
is  well-formed,  I  ^  E.  We  claim  that  I'  tp,  E.  We  distinguish  cases: 

•  in(/(s))  -p  in(/'(s)):  Observe  that,  in  the  contract  of  the  connection  of  E  and  /',  the  term  4)  of  (9) 
evaluates  to  false  at  state  s:  this  is  because  /e(s)  p  in(/'(s)).  Therefore,  the  entire  contract  of 
the  connection  is  also  false  at  s,  which  means  that  the  connection  of  /'  and  E  is  not  well- formed. 

•  in(/(s))  ^  in(/'(s))  but  in(/(s))  A  /'(s)  p  f{s).  At  state  s,  there  exists  input  ax  G  in(/(s))  = 
/e(s),  for  which  /'  can  produce  output  ay  such  that  a  :=  {ax,  ay)  G  f'{s)  \  f{s).  Since  a  f  f{s), 
f{s-a)  is  empty,  thus  fe{s-a)  =  false,  thus,  again,  the  composition  of  I'  with  E  is  not  well-formed. 
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The  requirement  that  I  be  well-formed  in  part  2  of  Theorem  15  is  necessary,  as  the  following  example 
shows. 

Example  14  Consider  the  finite-state  interfaces  I  and  I'  defined  by  the  automata  shown  in  Figure  2.  Both 
have  a  single  boolean  input  variable  x.  I'  is  well-formed  but  I  is  not  (I  is  well-formable,  however,  and  I'  is 
a  witness).  I'  %  I,  because  at  the  initial  state  the  input  x  =  false  is  legal  for  I  but  not  for  I' .  But  there  is 
no  environment  E  such  that  I  \=  E  but  I'  E. 

Collecting  the  results  of  this  section  allows  us  to  state  the  main  benefits  of  our  theory,  namely,  substi¬ 
tutability  and  incrementality.  In  particular,  let  /  be  an  interface  formed  by  some  composition  of  interfaces 
Suppose  we  want  to  replace  Ii  by  I).  We  only  need  to  ensure  that  I[  refines  Ii.  This,  together 
with  Theorems  13  and  14,  guarantees  that  the  new  composition,  call  it  I' ,  obtained  by  using  I[  instead 
of  Ii,  refines  the  old  composition  I.  Moreover,  Theorems  11  and  12,  guarantee  that  if  I  is  well- formed  or 
well-formable  then  so  is  This  means  that  it  suffices  to  check,  say,  well-formability,  at  the  level  of  I  and  not 
have  to  repeat  the  check  at  the  level  of  This  is  very  useful  when  I  represents  compact  specifications  while 
/'  is  about  detailed  implementations,  that  are  more  difficult  to  verify.  Finally,  thanks  to  Theorem  15,  /'  can 
be  plugged  to  any  context  (i.e.,  environment)  that  /  can  be  plugged  to,  that  is,  the  method  is  incremental. 

We  end  this  section  with  an  additional  remark  on  the  definition  of  refinement.  As  mentioned  above, 
replacing  Condition  (16)  with  the  simpler  Condition  (17)  changes  the  meaning  of  refinement  in  a  profound 
way.  In  particular,  part  2  of  Theorem  15  no  longer  holds,  as  the  following  example  demonstrates: 

Example  15  Consider  interface  Ii  from  Example  1  and  interface  fid  '■=  ({a:},  {y},x  =  y).  It  can  be  checked 
that  fid  C  Ii.  If  we  used  Condition  (17)  instead  of  Condition  (16)  in  the  definition  of  refinement,  then  fid 
would  not  refine  Ii:  this  is  because  x  =  y  -/^  x  >  Q.  Yet  there  is  no  environment  E  such  that  fi  \=  E  but 
fid  ^  E:  this  follows  from  Theorem  15. 


9  Shared  refinement  and  shared  abstraction 

A  shared  refinement  operator  □  is  introduced  in  [19]  for  A/G  interfaces,  as  a  mechanism  to  combine  two 
such  interfaces  I  and  /'  into  a  single  interface  /  □  /'  that  refines  both  I  and  J  □  /'  is  able  to  accept  inputs 
that  are  legal  in  either  I  or  and  provide  outputs  that  are  legal  in  both  /  and  I' .  Because  of  this,  /  □  /' 
can  replace  both  /  and  I' ,  which,  as  argued  in  [19],  is  important  for  component  reuse.  A  similar  mechanism 
called  fusion  has  also  been  proposed  in  [7]. 

[19]  also  discusses  shared  refinement  for  extended  (i.e.,  relational)  interfaces  and  conjectures  that  it 
represents  the  greatest  lower  bound  with  respect  to  refinement.  We  show  that  this  holds  only  if  a  certain 
condition  is  imposed.  We  call  this  condition  shared  refinability.  It  states  that  for  every  inputs  that  is  legal  in 
both  I  and  the  corresponding  sets  of  outputs  of  I  and  /'  must  have  a  non-empty  intersection.  Otherwise, 
it  is  impossible  to  provide  an  output  that  is  legal  in  both  I  and 

Definition  17  (Shared  refinement)  Two  interfaces  I  =  {X,  Y,  f)  and  I'  =  (A',  Y' ,  /')  are  shared-refinable 
if  X  =  X' ,  Y  =  Y'  and  the  following  formula  is  true  for  all  s  G  f  (1  f : 

VA  :  (in(/(s))  A  in(/'(s)))  ^  dF  :  (/(s)  A  f\sf)  (28) 

In  that  case,  the  shared  refinement  of  I  and  I' ,  denoted  I  □  I' ,  is  the  interface  defined  as  follows: 

in  I'  :=  (A,r,/n) 

/n(s)  :=  (in(/(s))  V  in(/'(s)))  A  (in(/(s))  ^ /(s))  A  (in(/'(s))  ^ /'(s))  (29) 

Example  16  Consider  interfaces  /qo  :=  {{x\,{y'\,x  =  0  ^  y  =  0)  and  fii  :=  {{x'\,{y'\,x  =  0  — >  y  =  1). 
/qo  and  fii  are  not  shared-refinable  because  there  is  no  way  to  satisfy  y  =  0  A  y  =  1  when  a;  =  0. 
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For  finite-state  interfaces,  shared  refinement  is  computable.  Let  Mi  =  {X,  Y,  Li,£o^i,  Ci,Ti)  be  finite-state 
automata  representing  li,  for  i  =  1,2,  respectively.  Suppose  Ii,l2  are  shared-refinable.  Then,  Ii  □  I2  can  be 
represented  as  the  automaton  M  :=  {X,  Y,  Li  x  L2  U  Li  U  L2,  (^o,i)  ^0,2),  C',  T),  where  C  and  T  are  defined 
as  follows  (guard  gboth  is  defined  as  in  (19)): 

r  (in(C'i(4))  V  in(C2(4)))  A  (in(Ci(€i))  ^  C'i(£i))  A  (in(C2(4))  ^  ^2(4)),  if  ^  =  (4,4)  S  Li  x  L2 
Ci{e),  if^GLi  (30) 

(  C2{£),  ii£eL2 

{((4,4),5hot/i  A  51  Ag2,(4>4))  I  (4, 5*, 4)  €  Ti,  for  i  =  1,2} 

u  {((4, 4), -42(4)  A  31,4)  I  (4,31,4)  eiTilu  4  (31) 

u  {((^1,4),  —41  (£1)  A  32, 4)  I  (4, ff2, 4)  €  4}  u  4 

As  long  as  the  contracts  of  both  Mi  and  M2  are  satisfied,  M  behaves  as  a  synchronous  product.  If  the 
contract  of  one  automaton  is  violated,  then  M  continues  with  the  other. 

Lemma  7  If  I  and  I'  are  shared-refinable  interfaces  then 

/(/)n/(/')c/(/n/')c/(j)u/(/') 

Proof:  Let  I  =  {X,  Y,  f)  and  I'  =  (A',  Y' ,  f). 

/  F  /'  C  f(I  n  I'):  By  induction  on  the  length  of  states.  It  holds  for  the  state  of  length  zero,  i.e.,  the 
empty  state  e,  because  e  is  reachable  in  any  interface.  Suppose  s  ■  a  G  /  H  /'.  Then  s  G  f  D  f,  and  from 
the  induction  hypothesis,  s  G  f{I  □  I').  Since  s  ■  a  G  f,  a  \=  f{s).  Since  s  ■  a  G  f ,  a  \=  f'{s).  Thus 
a  h  f{s)  A  f'{s).  Thus  a  \=  (in(/(s))  V  in(/' (s)))  A  (in(/(s))  ^  f{s))  A  (in(/' (s))  ^  f  (s))  =  /n(s). 

/(/  n  /')  C  /  U  /':  By  induction  on  the  length  of  states.  Basis:  It  holds  for  the  empty  state  e.  Induction 
step:  Suppose  s  ■  a  G  f{I  □  I').  Then  a  4  /n(s)-  Also,  s  G  f{I  FI  I'),  and  from  the  induction  hypothesis, 
s  G  /  U  /'.  Suppose  s  G  f  (the  other  case  is  symmetric).  There  are  two  sub-cases: 

Case  1:  s  G  /':  Then  /n(s)  =  (in(/(s))  V  in(/'(s)))  A  (in(/(s))  ^  /(s))  A  (in(/'(s))  ^  /'(s)).  Since 
a  4  /n(s),  a  4  (in(/(s))  V  in(/'(s))).  Suppose  a  4  in(/(s))  (the  other  case  is  symmetric).  Then,  since 
a  4  in(/(s))  — >  f{s),  we  have  a  \=  f{s),  thus,  s  ■  a  G  f. 

Case  2:  s  ^  /':  Then  /n(s)  =  /(s),  therefore,  a  \=  /(s),  thus,  s  ■  a  G  f.  ■ 


4(4  := 

T  ■= 


Lemma  8  Let  I  and  I'  he  shared-refinable  interfaces  such  that  I  =  {X,Y,f),  I'  =  {X,Y,f')  and  /  □  /'  = 
(A,y,/n).  Then: 

'n(/n(s))  =  in(/(s))  V  in(/'(s)) 

Proof:  Using  the  fact  that  in(/(s))  and  in(/'(s))  are  properties  over  X,  and  the  fact  that  the  existential 
quantifier  distributes  over  disjunctions,  we  can  show  the  following  equivalences: 

in(/n(s))  =  :  (in(/(s))  V  in(/'(s)))  A  (in(/(s))  ^  /(s))  A  (in(/'(s))  ^  f\s))  = 

(in(/(s))  V  in(/'(s)))  A  3Y  :  (^in(/(s))  V  /(s))  A  (-in(/'(s))  V  /'(s))  = 
(in(/(s))  V  in(/'(s)))  A  3Y  :  (-n\n{f{s))  A  ^in(/'(s))  V  ^in(/(s))  A  f{s)  V  /(s)  A  ^in(/'(s))  V  f{s)  A  /'(s))  = 

(in(/(s))  V  in(/'(s)))  A  (^^in(/(s))  A  in(/'(s))  V  in(/(s))  A  ^in(/'(s))  V  (dU  :  /(s)  A  /'(s))) 

Clearly,  the  last  formula  implies  in(/(s))  V  in(/'(s)).  The  converse  also  holds,  thanks  to  shared-refinability 
Condition  (28).  ■ 


Theorem  16  (Greatest  lower  bound)  If  I  and  I'  are  shared-refinable  interfaces  then  (/  □  I')  C  7,  (/  □ 
/')  C  r ,  and  for  any  interface  I"  such  that  I"  C  I  and  I"  C  I' ,  we  have  I"  U  (/  n  I'). 
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Proof:  Since  /  and  /'  are  shared-refinable,  they  have  the  same  sets  of  input  and  output  variables.  Let 
I  =  {X,  Y,  f)  and  /'  =  {X,  Y,  /').  Let  /  n  /'  =  {X,  F,  /□)•  To  prove  (I  □  I')  C  I,  we  need  to  show 

in(/(s))  ^  in(/n(s)) 

(in(/(s))  A  /n(s))  ^  f{s) 

The  first  condition  follows  from  Lemma  8  and  the  second  by  definition  of  /□•  The  proof  for  (/  □  /')  C  I'  is 
symmetric.  Thus,  I  □  /'  is  a  lower  bound  of  /  and  I' . 

To  show  that  /□  /'  is  the  greatest  lower  bound,  let  /"  =  {X,  Y,  f").  To  prove  I"  C  (/n  I')  we  must  prove 
in(/n(s))  ^  in(/"(s))  and  in(/n(s))  A  /"(s)  — >  /n(s).  By  Lemma  8  and  the  definition  of  /□,  these  conditions 
become: 


(in(/(s))  V  in(/'(s)))  ^  in(/"(s)) 

((in(/(s))  V  in(/'(s)))  A  /"(s))  ^  ((in(/(s))  V  in(/'(s)))  A  (in(/(s))  ^  f{s))  A  (in(/'(s))  ^  /'(s))) 

From  hypotheses  I"  C  I  and  I”  C  I'  we  get  in(/(s))  — >  in(/"(s))  and  in(/'(s))  ^  in(/"(s)),  from  which  the 
first  condition  follows.  We  also  get  in(/(s))  A  f"{s)  f{s)  and  in(/'(s))  A  /"(s)  ^  f'{s),  therefore, 

(in(/(s))  V  in(/'(s)))  A  /"(s)  ^  (/(s)  A  f{s)), 

from  which  the  second  condition  follows.  ■ 


Theorem  17  (Shared-refinement  preserves  well-formedness)  If  I  and  I'  are  shared-refinable  inter¬ 
faces  and  both  are  well-formed,  then  J  □  /'  is  well-formed. 

Proof:  Let  I  =  (X,Y,f),  I'  =  {X,Y,f')  and  /  n  /'  =  {X,Y,fn).  Let  s  €  /□.  By  Lemma  7,  s  G  /  U  /'. 
Suppose  s  G  f.  By  hypothesis,  f{s)  yf  0.  Let  a  G  f{s)  and  a  =  {ax, ay)  where  ax  G  A{X)  and 
ay  G  A{Y).  Clearly,  ax  G  in(/(s)).  If  ax  ^  in(/'(s))  then  a  clearly  satisfies  Formula  (29),  thus  a  G  /n(s). 
If  ax  G  in(/'(s))  then  ax  G  in(/(s))  n  in(/'(s)),  therefore,  by  shared-refinability  Condition  (28),  there  must 
exist  a'y  G  A{Y)  such  that  {axTa’y)  G  f{s)  C  f'{s).  Then  {ax,ay)  clearly  satisfies  Formula  (29),  thus 
{ax,ay)  G  /n(s).  The  case  s  G  /'  is  symmetric.  ■ 

It  is  useful  to  consider  the  dual  operator  to  □,  that  we  call  shared  abstraction  and  denote  U.  Contrary  to 
n,  U  is  always  defined,  provided  the  interfaces  have  the  same  input  and  output  variables: 

Definition  18  (Shared  abstraction)  Two  interfaces  I  =  {X,Y,f)  and  I'  =  {X'  ,Y' ,  f)  are  shared- 
abstractable  if  X  =  X'  and  Y  =  Y' .  In  that  case,  the  shared  abstraction  of  I  and  I' ,  denoted  I  U  I' , 
is  the  interface: 


luT  :=  {X,YJu) 

f  in(/(s))  A  in(/'(s))  A  (/(s)  V  f{s)) 

ifsGfnf 

fu{s)  :=  <  f{s) 

ifsGf\f 

[  fis) 

ifsGfXf 

Notice  that  it  suffices  to  define  /u(s)  for  s  G  /  U  /'.  Indeed,  the  above  definition  inductively  implies 
fuCfU  /': 

Lemma  9  If  I  and  I'  are  shared- abstractable  interfaces  then 

/(/)n/(/')c/(ju/')c/(/)u/(/') 

Proof:  Let  I  =  {X,Y,f),  /'  =  {X,Y,f')  and  /  U  I'  =  (X,  T, /□).  We  prove  /□  C  /  U  /'  by  induction  on 
the  length  of  states.  Basis:  it  holds  for  e.  Step:  let  s  •  a  G  /□.  Then  a  G  fu{s).  Thus  s  G  fu  and  from  the 
induction  hypothesis,  s  G  /  U  /'.  There  are  three  cases: 


30 


•  s  G  fn  f:  Then  a  |=  in(/(s))  A  in(/'(s))  A  (/(s)  V  f'{s)),  thus,  a  G  f{s)  U  /'(s).  Thus  s  •  a  e  /  U  /'. 

•  s  S  /  \  /':  Then  a  |=  /(s),  thus  s  ■  a  G  f. 

•  s  G  f  \  f:  Then  a  |=  /'(s),  thus  s  ■  a  G  f . 

The  proof  /  n  /'  C  /□  is  also  by  induction.  Let  s  ■  a  G  f  D  f .  Then  a  G  f{s)  fl  /'(s),  so  s  G  f  D  f' .  Clearly 

then,  a  ^  /u(s),  thus  s  ■  a  G  fu-  ■ 

For  finite-state  interfaces,  shared  abstraction  is  computable.  Let  Mi  =  {X,Y,  Li,£Q  i,Ci,Ti)  be  finite- 
state  automata  representing  li,  for  i  =  1,2,  respectively.  Suppose  /i,/2  are  shared-abstractable.  Then, 
Ii  U  I2  can  be  represented  as  the  automaton  M  :=  {X,Y,Li  x  L2  U  Li  U  L2,  (€0,1,  t'0,2),  C,  T),  where  C  and 
T  are  defined  as  follows  (guard  gboth  is  defined  as  in  (19)): 

r  in(Ci(fi))  Ain(C2(€2))A  (Li(^i)VC2(£2)),  if  £  =  (€1,  £2)  G  x  L2 
C{e)  :=  C'i(£),  if£GLi  (33) 

[  C2(£),  if  £gL2 

T  :=  for  1=1,2} 

U{((£i,£2),in(Ci(£i))Ain(C2(£2))A-C2(£2)Agi,£'i)  |  g^,  £[)  G  T,}  U  T,  (34) 

U{((£i,£2),in(Ci(£i))Ain(C2(£2))  A-Ci(£i)  Ag2,£2)  I  (£2,ff2,£2)  G  r2}  U  r2 

Like  the  automaton  for  /□/',  M  behaves  as  the  synchronous  product  of  Mi  and  M2,  as  long  as  the  contracts 
of  both  are  satisfied.  When  the  contract  of  one  is  violated,  then  M  continues  with  the  other. 

Theorem  18  (Least  upper  bound)  If  I  and  /'  are  shared-abstractable  interfaces  then  /  C  (/  U  /'),  /'  C 
(/  U  /'),  and  for  any  interface  I"  such  that  I  C  I"  and  I'  C  I" ,  we  have  (J  U  I')  C  I" . 

Proof:  Let  /  =  {X,  Y,  /),  /'  =  {X,  Y,  /')  and  /  U  J'  =  (X,  Y,  /□).  Consider  s  G  f  O  fu-  There  are  two  cases: 

•  s  G  /':  Then 

in(/u(s))  =  in(^in(/(s))  A  in(/'(s))  A  (/(s)  V  f'(s))^  =  in(/(s))  A  in(/'(s))  A  in(f(s)  V  f'(s))  = 

in(f(s))  A  in(f'(s))  A  (in(/(s))  V  in(/'(s)))  =  in(f(s))  A  in(f'(s)) 
and  the  refinement  conditions  for  I  O  (I  U  I')  become 

(in(/(s))  A  in(/'(s)))  in(/(s)) 

(in(/(s))  Ain(/'(s))  A/(s))  ^  (in(/(s))  A  in(/'(s))  A  (/(s)  V /'(s))) 

which  clearly  hold. 

•  s  ^  f':  Then  in(/u(s))  =  in(/(s)),  and  the  refinement  conditions  for  /  C  (/  U  /')  become  in(/(s))  ^ 
in(/(s))  and  in(/(s))  A  f{s)  f{s),  which  clearly  hold. 

This  proves  /  C  (/  U  /') .  Similarly  we  show  /'□(/□  /') . 

Now,  let  I"  =  {X,  Y,  /")  and  consider  s  G  /□  D  /".  By  Lemma  9,  s  G  (/ U  /')  C  /".  To  show  (/ U  I')  C  I", 
we  need  to  show  in(/"(s))  ^  in(/u(s))  and  in(/"(s))  A  /u(s)  ^  f''{s)-  We  reason  by  cases: 

•  s  G  /  n  /'  n  /":  then  the  proof  obligations  above  become:  in(/"(s))  — s-  in(/(s))  A  in(/'(s))  and 
in(/"(s))  A  in(/(s))  A  in(/'(s))  A  (/(s)  V /'(s))  — >  f"{s).  From  hypotheses  s  G  /H/',  J  C  I"  and  /'  C  I" 
we  get  in(/"(s))  ^  in(/(s))  and  in(/"(s))  ^  in(/'(s)),  from  which  the  first  condition  follows.  We  also 
get  in(/"(s))A/(s)  ^  /"(s)  and  in(/"(s))  A/'(s)  ^  /"(s),  therefore,  in(/"(s))A  (/(s)  V/'(s))  ^  /"(s), 
from  which  the  second  condition  follows. 
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•  s  €  then  the  proof  obligations  become:  in(/"(s))  ^  in(/(s))  and  in(/"(s))  A /(s)  — >  f''{s), 

which  hold  from  hypotheses  s  G  /  n  /"  and  I  Q  I”  . 

•  s  G  (/'  \  /)  n  /":  similar  to  the  previous  case. 


Notice  that,  even  when  /,  I'  are  both  well-formed,  I  U  I'  may  be  non- we  11- formed,  or  even  non-well- 
formable.  This  occurs,  for  instance,  when  I  and  I'  are  stateless  with  contracts  (p  and  cp'  such  that  in((^)  Ain((^') 
is  false.  This  does  not  contradict  Theorem  18  since  false  is  refined  by  any  contract,  as  observed  earlier. 

10  The  input-complete  case 

Input-complete  interfaces  do  not  restrict  the  set  of  input  values,  although  they  may  provide  no  guarantees 
when  the  input  values  are  illegal.  Although  input-complete  interfaces  are  a  special  case  of  general  interfaces, 
it  is  instructive  to  study  them  separately  for  two  reasons:  first,  input-completeness  makes  things  much 
simpler,  thus  easier  to  understand  and  implement;  second,  some  interesting  properties  hold  for  input-complete 
interfaces  but  not  in  general. 

Theorem  19  Every  well-formed  source  interface  is  input- complete.  So  is  every  well-formed  Moore  interface. 

Proof:  Let  /  be  a  well-formed  interface  with  contract  /.  If  J  is  a  source  interface  then  it  has  no  input 
variables.  In  that  case,  in(/(s))  is  a  formula  with  no  free  variables,  therefore,  it  is  equivalent  to  either  true  or 
false.  /  is  well-formed,  so  in(/(s))  must  be  true  for  all  s.  If  I  is  Moore  then  /(s)  refers  to  no  input  variables, 
therefore,  again  in(/(s))  has  no  free  variables.  ■ 


Theorem  20  Every  input- complete  interface  is  well-formed. 

Proof:  Let  I  =  {X,  Y,  f)  be  an  input-complete  interface.  Then  in(/(s))  is  valid  for  all  s  G  A(X  U  T)*,  i.e., 
3Y  :  f{s)  =  true  for  any  assignment  over  X.  Let  ax  be  an  assignment  over  X  (note  that  ax  is  defined  even 
when  X  is  empty).  Then  there  exists  an  assignment  ay  on  Y  such  that  the  combined  assignment  (ax,  ay) 
on  X  U  F  satisfies  f{s).  Thus,  /(s)  is  satisfiable,  which  means  I  is  well-formed.  ■ 

Every  interface  I  can  be  turned  into  an  input-complete  interface  IC(/)  that  refines  I: 

Definition  19  (Input-completion)  Consider  an  interface  I  =  {X,Y,f).  The  input-completion  of  I,  de¬ 
noted  IC(/),  is  the  interface  IC(/)  :=  (X^Y,  fif),  where  fids)  :=  f{s)  V  ^in(/(s)),  for  all  s  G  A(X  U  Y)*. 

Theorem  21  (Input-completion  refines  original)  If  I  is  an  interface  then: 

1.  IC(/)  is  an  input- complete  interface. 

2.  IC(/)  E  I- 

Proof:  Let  I  =  (X,  Y,  f)  and  IC(/)  =  (X,  F,  fid).  Let  s  G  A{X  U  Y)*. 

1-  in(/ic(s))  =  3F  :  (/(s)  V  ^in(/(s)))  =  (3F  :  /(s))  V  ^in(/(s))  =  in(/(s))  V  ^in(/(s))  =  true,  thus,  IC(/) 
is  input-complete. 

2.  Obviously,  in(/(s))  — >  in(/ic(s)).  We  need  to  show  that  (in(/(s))  A  (/(s)  V  ^in(/(s))))  ^  /(s).  The 
premise  can  be  rewritten  as  (in(/(s))  A  /(s))  V  (in(/(s))  A  ^in(/(s)))  =  in(/(s))  A  /(s),  which  clearly 
implies  /(s). 
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Theorems  21  and  15  imply  that  for  any  environment  E,  ii  I  \=  E  then  IC(/)  \=  E.  The  converse  does  not 
hold  in  general  (see  Examples  1  and  9,  and  observe  that  I2  is  the  input-complete  version  of  Ii). 

Composition  by  connection  reduces  to  conjunction  of  contracts  for  input-complete  interfaces,  and  pre¬ 
serves  input-completeness: 

Theorem  22  (Connection  preserves  input-completeness)  Let  Ii  =  {Xi,Yi,  fi),  i  =  1,2,  be  disjoint 
input- complete  interfaces,  and  let  9  be  a  connection  between  Then  the  contract  f  of  the  composite 

interface  9(Ii,  I2)  is  such  that  for  all  s  G  U  ^0(71,72))* 

/(s)  =  /i(s)  A /2(s)  A  pe 

Moreover,  0{Ii,l2)  is  input- complete. 

Proof:  In  /,  the  term  defined  in  Formula  (9)  is  equivalent  to  true  because  in(/2(s2))  =  true.  To  see 
that  6{Ii,l2)  is  input-complete,  consider  a  state  s  G  U  ^0(7^  72))*  let  a  be  an  assignment 

over  Xg(7j  72).  Since  in(/i(si))  =  true,  and  Xi  C  Xg(7j  7^),  there  exists  an  assignment  b  over  Yi  such  that 

(0,5)  1=  /i(si).  Let  c  be  an  assignment  over  lnVars(0)  such  that  (6,  c)  \=  pe:  such  an  assignment  can  always 
be  found  by  setting  c{x)  to  the  value  that  b  assigns  to  y,  where  {y,x)  G  9.  Since  in(/2(s2))  =  true, 
there  exists  an  assignment  d  over  Y2  such  that  (a,c,d)  ^  /2(s2)-  Combining  the  assignments  we  get 

(a,  b,  c,  d)  ^  /i(si)  A  72(52)  A  pe  =  /(s),  therefore,  9{Ii,l2)  is  input-complete.  ■ 


It  is  important  to  note  that  the  “demonic”  interpretation  of  non-determinism  used  in  our  definition  of 
connection  is  necessary  in  order  for  connection  to  preserve  refinement  (Theorem  13).  In  particular,  adopting 
the  “angelic”  interpretation  of  non-determinism  would  result  in  the  standard  definition  of  connection  as 
composition  of  relations:  /i(s)  A  /2(s)  A  pg.  This  works  for  input-complete  interfaces,  as  shown  above,  but 
not  for  general  interfaces,  as  illustrated  in  the  following  example. 


Example  17  Let 

ho  ■■=  {{x},{y},x  =  0A{y  =  0Wy=l)) 

h2  ■=  ({2:},  {tc},  2  =  0  A  TC  =  0) 

Let  9  :=  {{y,z)}.  The  conjunction  of  the  contracts  of  Iio  and  I12,  together  with  the  equality  y  =  z  imposed 
by  the  connection  9,  gives  the  contract  x  =  Q  A  {y  =  Q\/  y  =  1)  A  z  =  Q  A  w  =  Q  A  y  =  z,  which  is  equivalent 
tox  =  y  =  z  =  w  =  0,  which  is  clearly  satisfiable.  Therefore,  we  could  interpret  the  composite  interface 
9{Iio,Ii2)  as  the  interface 

({a;},  {y,z,w},x  =  y  =  z  =  w  =  0) 


Now,  consider  the  interface: 


hi  ■■=  ({a:},{?/},a;  =  0Ap=  1) 


It  can  be  checked  that  In  C  Iiq.  But  if  we  connect  hi  to  J12,  we  find  that  the  conjunction  of  their  contracts 
(with  the  connection  y  =  z)  is  unsatisfiable.  Therefore,  if  we  used  conjunction  for  composition  by  connec¬ 
tion,  then  the  composite  interface  9{hi,h2)  would  not  refine  9{ho,h2),  even  though  In  refines  ho,  i-e-, 
Theorem  13  would  not  hold. 


Input-complete  interfaces  alone  do  not  help  in  avoiding  problems  with  arbitrary  feedback  compositions: 
indeed,  in  the  example  given  in  the  introduction  both  interfaces  /true  and  ly^x  are  input-complete.^  This 
means  that  in  order  to  add  a  feedback  connection  {y,x)  in  an  input-complete  interface,  we  must  still  ensure 
that  this  interface  is  Moore  w.r.t.  input  x.  In  that  case,  feedback  preserves  input-completeness. 

®  It  is  not  surprising  that  input-complete  interfaces  alone  cannot  solve  the  problems  with  arbitrary  feedback  compositions, 
since  these  are  general  problems  of  causality,  not  particular  to  interfaces. 
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Theorem  23  (Feedback  preserves  input-completeness)  Let  I  =  {X,  Y,  f)  be  an  input-complete  inter¬ 
face  which  is  also  Moore  with  respect  to  some  x  €  X.  Let  k  =  {y,x)  be  a  feedback  connection  on  L.  Then 
k{I)  is  input- complete. 

Proof:  By  definition,  k{L)  =  (X  \  {x},Y  U  {a;},/„),  where  /«(«)  =  /(s)  A  (a;  =  y),  for  all  s  €  A{X  U  Y)* . 
Let  s  G  A{X  U  Y)* .  We  must  show  that  in(/K(s))  =  3F  U  {cc}  :  /(s)  A  {x  =  y)  is  valid.  Because  /(s)  does 
not  refer  to  x,  we  have  3Y  U  {a;}  :  f{s)  A  {x  =  y)  =  3Y  :  3x  :  f{s)  A  {x  =  y)  =  3Y  :  (/(s)  A  (3a;  :  x  =  y))  = 
: /(s)  =  in(/(s))  =  true.  ■ 


Theorem  24  (Hiding  preserves  input-completeness)  Let  L  =  {X,  Y,  f)  be  an  input- complete  interface 
and  let  Y'  C  Y,  such  that  f  is  independent  from  Y' .  Then,  hide(y',/)  is  input- complete. 

Proof:  L  is  input-complete  means  in(/(s))  is  valid  for  all  s  G  A{X  U  T)*.  We  must  show  that  3y  \  Y'  : 
{3Y'  :  f{s))  is  valid:  the  latter  formula  is  equivalent  to  3Y  :  f{s),  i.e.,  in(/(s)).  ■ 


Theorem  25  (Refinement  for  input-complete  interfaces)  Let  L  and  L'  be  input- complete  interfaces. 
Then  I'YLtfffincfiL). 

Proof:  Follows  directly  from  Definitions  16  and  3.  ■ 

For  input-complete  interfaces,  the  shared-refinability  condition,  i.e..  Condition  (28),  simplifies  to 

yX:3Y:f{s)Af{s) 

Clearly,  this  condition  does  not  always  hold.  Indeed,  the  interfaces  of  Example  16  are  not  shared-refinable, 
even  though  they  are  input-complete.  For  shared-refinable  input-complete  interfaces,  shared  refinement 
reduces  to  intersection.  Dually,  for  shared-abstractable  input-complete  interfaces,  shared  abstraction  reduces 
to  union. 

Theorem  26  (Shared  refinement  and  abstraction  for  input-complete  interfaces)  Let  L  and  L'  be 

input- complete  interfaces. 

1.  If  I  and  I'  are  shared-refinable  then  f{I  □  I')  =  f{I)  n  f{I'). 

2.  If  I  and  I'  are  shared-abstractable  then  f{I  U  I')  =  /(/)  U  f{I'). 

Proof:  Follows  directly  from  Definitions  17,  18  and  3.  ■ 

As  the  above  presentation  shows,  input-complete  interfaces  are  much  simpler  than  general  interfaces: 
refinement  is  implication  of  contracts,  composition  is  conjunction,  and  so  on.  Then,  a  legitimate  question  is, 
why  consider  non-input-complete  interfaces  at  all?  There  are  mainly  two  reasons. 

First,  non-input-complete  interfaces  can  be  used  to  model  situations  that  cannot  be  modeled  by  input- 
complete  interfaces.  For  example,  consider  modeling  a  component  implementing  some  procedure  that  re¬ 
quires  certain  conditions  on  its  inputs  to  be  satisfied,  otherwise  it  may  not  terminate.  We  can  capture  the 
specification  of  this  component  as  an  interface,  by  imposing  these  conditions  in  the  contract  of  the  interface. 
But  we  cannot  capture  the  same  specification  as  an  input-complete  interface:  for  what  would  the  output  be 
when  the  input  conditions  are  violated?  We  cannot  simply  add  an  extra  output  taking  values  in  {T,  iVT}, 
for  “terminates”  and  “does  not  terminate”,  since  non-termination  is  not  an  observable  property. 

Second,  even  in  the  case  where  we  could  use  input-complete  interfaces  to  capture  a  specification,  we 
may  decide  not  to  do  so,  in  order  to  allow  for  local  compatibility  checks.  In  particular,  when  connecting  two 
interfaces  /  and  we  may  want  to  check  that  their  composition  is  well-formed  before  proceeding  to  form 
an  entire  interface  diagram.  Input-complete  interfaces  are  always  well-formed  and  so  are  their  compositions 
(Theorems  20,  22  and  23),  therefore,  local  compatibility  checks  provide  useful  information  only  in  the  non- 
input-complete  case. 
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11  The  deterministic  case 


In  this  section  we  state  some  properties  of  the  theory  in  the  case  of  deterministic  interfaces.  First,  sink 
interfaces  are  by  definition  deterministic: 

Theorem  27  All  sink  interfaces  are  deterministic. 

Composition  by  connection  reduces  to  composition  of  relations  when  the  source  interface  is  deterministic: 

Theorem  28  Consider  two  disjoint  interfaces,  C  =  fi),  i  =  l,2,  and  a  connection  9  between 

Let  =  {X,Y,f).  If  Ii  is  deterministic,  then  f{s)  =  /i(si)  A  /2(s2)  A  pe  for  all  states  s. 

Proof:  Following  Definition  9,  it  suffices  to  prove  that  the  formula 

(/i(si)  A  /2(s2)  A  Pe)  :  (/i(si)  A  pg)  in(/2(s2))) 

is  valid  for  any  si,  S2-  Let  a  G  A{Xi  U  Yi  U  X2  U  Y2)  such  that  a  ^  /i(si)  A  /2(s2)  A  pg.  We  need  to  prove 
that  a  ^  yYg^j^j^)  :  (/i(si)  Ape)  ^  in(/2(s2)).  Let  b  G  A{Yg^j^j^^)  such  that  {a\b)  |=  /i(si)  Apg.  Here,  (a|6) 
denotes  the  assignment  obtained  by  replacing  in  a  the  values  of  all  variables  of  b  (i.e.,  variables  in  j^)) 
by  the  values  assigned  to  them  by  b.  We  need  to  prove  that  {a\b)  \=  in(/2(s2)).  Observe  that,  because 
Xi  n  Ygi^i^j^'^  =  0,  for  all  Xi  G  Xi,  we  have  0(2:1)  =  (a|5)(a;i).  This  and  the  fact  that  Ii  is  deterministic 
imply  that  for  all  yi  G  Yi,  we  have  a(j/i)  =  {a\b){yi).  This  and  the  facts  a  \=  pg  and  (a|5)  |=  pg  imply  that  for 
all  X2  G  lnVars(0),  we  have  0(^2)  =  (a|6)(a;2).  Finally  observe  that,  because  (X2  \  lnVars(0))  n  Yg^^j^)  =  0, 
for  all  x'2  G  X2  \  lnVars(6*),  we  have  0(2:2)  =  (o|6)(a:2).  Collecting  the  last  two  results,  we  get  that  for  all 
X2  G  X2,  we  have  0(^2)  =  (o|&)(x2).  This  and  a  |=  72(52)  imply  (o|&)  ^  in(/2(s2)).  ■ 


Theorem  29  (Hiding  preserves  determinism)  Let  I  =  {X,  Y,  f)  be  a  deterministic  interface  and  let 
Y'  C  Y ,  such  that  f  is  independent  from  Y' .  Then,  hide(Y',/)  is  deterministic. 

Proof:  Recall  that  hide(Y',  I)  =  {X,  Y  \  Y' ,  /'),  such  that  for  any  s  G  A{X  U  Y  \  Y')*,  f'{s)  =  3Y'  :  f{s). 
If  Y'  =  Y  then  hide(Y',/)  is  a  sink,  therefore,  deterministic  by  Theorem  27.  Otherwise,  let  s  G  f  and  let 
o-x  G  in(/'(s))  =  3Y  \  Y'  :  3Y'  :  /(s)  =  in(/(s)).  Since  I  is  deterministic,  there  is  a  unique  ay  G  .4(Y)  such 
that  (ax,  ay)  G  f{s).  Therefore,  there  is  a  unique  ay\yi  G  A{Y  \  Y')  such  that  {ax,ay\yi)  G  f'{s),  which 
proves  determinism  of  hide(Y',  I).  ■ 


Theorem  30  (Refinement  for  deterministic  interfaces)  Let  I  and  I'  be  deterministic  interfaces.  Then 

I'Qi  tfff(r)  2  f (I). 

Proof:  Let  I  =  (X,  Y,  /)  and  I'  =  (X,  Y,  /'). 

First,  suppose  /'  Cl  I.  To  prove  /  C  /',  it  suffices  to  show  that  for  all  s  G  f,  f{s)  — >  f'{s)  is  valid.  Let 
a  G  A{X  U  Y)  such  that  o  G  /(s).  Let  a  =  (ax,  ay)  where  ax  G  A(X)  and  ay  G  ^(Y).  Then  ax  G  in(/(s)), 
and  by  Definition  16,  ax  G  in(f'(s)).  Therefore  there  exists  ay  G  ^(Y)  such  that  (ax,  a'y)  G  f(s).  By 
Definition  16,  (ax,  a'y)  G  f(s).  Since  I  is  deterministic,  a'y  =  ay.  Thus,  a  =  (ax,  ay)  G  f'(s). 

Conversely,  suppose  f  C  f .  To  prove  /'  C  I,  it  suffices  to  show  that  for  all  s  G  f,  the  formulas 
''^(/('S))  ^  in(/'(s))  and  in(/(s))  A  f'(s)  f(s)  are  valid.  Let  ax  G  \n(f(s)).  Then  there  exists  ay  G  A(Y) 
such  that  a  :=  (ax,  ay)  G  f(s).  Thus,  s-a  G  f,  and  by  hypothesis,  s-a  G  /',  therefore,  a  G  f'(s).  This  implies 
ax  G  in(/'(s)).  This  proves  in(/(s))  ^  in(/'(s)).  Now  consider  (ax, a'y)  G  f'(s)  such  that  ax  G  in(/(s)). 
The  latter  fact  and  determinism  of  /  imply  that  (ax,  a'y)  G  f(s),  which  proves  in(/(s))  A  f'(s)  f(s).  ■ 

A  corollary  of  Theorems  25  and  30  is  that  refinement  for  input-complete  and  deterministic  interfaces  is 
equality. 
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For  deterministic  interfaces,  the  shared-refinability  condition,  i.e..  Condition  (28),  simplifies  to 

VX,F  :  (in(/(s))  A  in(/'(s)))  ^  (/(s)  A  /'(s)) 

Again,  this  condition  does  not  always  hold.  For  shared-refinable  deterministic  interfaces,  shared  refinement 
reduces  to  union.  Dually,  for  shared-abstractable  deterministic  interfaces,  shared  abstraction  reduces  to 
intersection. 

Theorem  31  (Shared  refinement  and  abstraction  for  deterministic  interfaces)  Let  I  and  I'  he  de¬ 
terministic  interfaces. 

1.  If  I  and  I'  are  shared-refinahle  then  f{I  □  I')  =  f{I)  U  f{I'). 

2.  If  I  and  I'  are  shared-abstractable  then  f{I  U  I')  =  /(/)  n  f{I'). 

Proof:  Let  /  :=  /(/),  f  :=  /(/'),  /n  :=  /(/□/')  and  /□  :=  /(/□/'). 

1.  The  containment  /□  C  /U /'  follows  from  Lemma  7.  The  converse  is  proven  by  induction  on  the  length 

of  states.  Basis:  e  e  /□.  Induction  step:  Suppose  s  •  a  G  /  U  /'.  WLOG,  assume  s  ■  a  G  f.  Then 

a  G  f{s).  Let  a  =  {ax, ay)  with  ax  G  in(/(s)).  If  ax  ^  in(/'(s)),  then  clearly  a  G  /n(s).  Otherwise, 
there  exists  a'y  such  that  {ax,  ay)  G  f'{s).  Since  /'  is  deterministic,  and  by  the  shared-refinability 
hypothesis,  ay  =  a'y.  Therefore  a  G  f{s)  (A  f'{s),  or  s  •  a  G  /  (A  /',  thus,  by  Lemma  7,  s  •  a  G  /□. 

2.  The  containment  /  A  /'  C  /□  follows  from  Lemma  9.  The  converse  is  proven  by  induction  on  the  length 

of  states.  Basis:  £  G  /  A  /'.  Induction  step:  Suppose  s  •  a  G  /□,  thus,  a  G  fu{s).  By  the  induction 
hypothesis,  s  G  /□  implies  s  G  /  A  /'.  Thus,  a  ^  in(/(s))  A  in(/'(s))  A  (/(s)  V  f'{s)).  Because  I  and  I' 
are  deterministic,  this  implies  a  ^  /(s)  A  f'{s),  therefore,  s  ■  a  G  f  Ci  f' . 


Notice  that  Theorems  30  and  31  are  duals  of  Theorems  25  and  26. 


12  Conclusion  and  perspectives 

We  have  proposed  a  compositional  theory  that  allows  to  reason  formally  about  components  in  a  synchronous 
setting,  and  offers  guarantees  of  substitutability.  The  theory  is  directly  applicable  to  the  class  of  applications 
captured  in  synchronous  embedded  software  environments  like  Simulink,  SCADE  or  Ptolemy,  mentioned  in 
the  introduction  (e.g.,  see  [42]  for  an  example  of  possible  applications).  But  our  framework  should  be  also 
applicable  to  more  general-purpose  software.  For  example,  stateless  interfaces  can  be  used  as  extended  types, 
that  are  able  to  express  constraints  on  the  outputs  based  on  information  about  the  inputs  of  a  given  function. 
Synchronous  hardware  is  another  important  application  domain  for  our  work.  We  are  currently  building  an 
implementation  of  our  theory  on  Ptolemy  and  experimenting  with  different  kinds  of  applications.  Reports 
on  such  experiments  will  be  provided  as  part  of  future  work. 

Another  avenue  for  future  work  is  to  examine  the  current  limitations  on  feedback  compositions.  Requiring 
feedback  loops  to  contain  Moore  interfaces  that  “break”  potential  causality  cycles  is  arguably  a  reasonable 
restriction  in  practice.  After  all,  arbitrary  feedback  loops  in  synchronous  models  generally  result  in  ambiguous 
semantics  [35,  9].  In  many  languages  and  tools  these  problems  are  avoided  by  making  restrictions  similar 
to  (and  often  stricter  than)  ours.  For  example,  Simulink  and  SCADE  generally  require  a  unit-delay  to  be 
present  in  every  feedback  loop.  Similar  restrictions  are  used  in  the  synchronous  language  Lustre  [12]. 

Still,  it  would  be  interesting  to  study  to  what  extent  the  current  restrictions  can  be  weakened.  One 
possibility  could  be  to  refine  the  definition  of  Moore  interfaces  to  include  dependencies  between  specific 
pairs  of  input  and  output  variables.  This  would  allow  to  express,  for  example,  the  fact  that  in  the  parallel 
composition  of  ({a;i},  {yi},  xi  =  yi)  and  {{X2},  {y2},X2  =  2/2),  yi  does  not  depend  on  X2  and  2/2  does  not 
depend  on  xi  (and  therefore  one  of  the  feedbacks  (2/1, 2:2)  or  (2/2,  xi)  can  be  allowed).  Such  an  extension  could 
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perhaps  be  achieved  by  combining  our  relational  interfaces  with  the  causality  interfaces  of  [50] ,  input-output 
dependency  information  such  as  that  used  in  reactive  modules  [3],  or  the  coarser  profiles  of  [33].  A  more 
general  solution  could  involve  studying  fixpoints  in  a  relational  context,  as  is  done,  for  instance,  in  [16]. 
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